[Cluster-devel] Re: [PATCH 1/2] NLM failover unlock commands
J. Bruce Fields
bfields at fieldses.org
Thu Jan 24 21:40:29 UTC 2008
On Thu, Jan 24, 2008 at 04:06:49PM -0500, Wendy Cheng wrote:
> J. Bruce Fields wrote:
>> On Thu, Jan 24, 2008 at 02:45:37PM -0500, Wendy Cheng wrote:
>>
>>> J. Bruce Fields wrote:
>>>
>>>> In practice, it seems that both the unlock_ip and unlock_pathname
>>>> methods that revoke locks are going to be called together. The two
>>>> separate calls therefore seem a little redundant. The reason we *need*
>>>> both is that it's possible that a misconfigured client could grab locks
>>>> for a (server ip, export) combination that it isn't supposed to.
>>>>
>>> That is not a correct assumption. The two commands (unlock_ip and
>>> unlock_pathname) are not necessarily called together. It is ok for
>>> local filesystem (ext3) but not for cluster filesystem where the
>>> very same filesystem (or subtree) can be exported from multiple
>>> servers using different subtrees.
>>>
>>
>> Ouch. Are people really doing that, and why? What happens if the
>> subtrees share files (because of hard links) that are locked from both
>> nodes?
>>
>
> It is *more* common than you would expect - say server1 exports
> "/mnt/gfs/maildir/namea-j" and server2 exports
> "/mnt/gfs/maildir/namek-z".
I believe it, but how hard would it be for them to just set those up as
separate partitions?
I'm really not fond of exports of subdirectories of filesystems, mainly
because I'm worried that many administrators don't understand the
security issue (which is that they probably are exposing the whole
filesystem when they export a subdirectory).
--b.
More information about the Cluster-devel
mailing list