fs/affs/namei.c | 1 + fs/befs/linuxvfs.c | 1 + fs/btrfs/export.c | 1 + fs/ceph/export.c | 1 + fs/efs/super.c | 1 + fs/erofs/super.c | 1 + fs/ext2/super.c | 1 + fs/ext4/super.c | 1 + fs/f2fs/super.c | 1 + fs/fat/nfs.c | 2 ++ fs/fuse/inode.c | 2 ++ fs/gfs2/export.c | 1 + fs/isofs/export.c | 1 + fs/jffs2/super.c | 1 + fs/jfs/super.c | 1 + fs/nfs/export.c | 3 ++- fs/nfsd/nfsfh.c | 4 ++++ fs/nilfs2/namei.c | 1 + fs/ntfs3/super.c | 1 + fs/ocfs2/export.c | 1 + fs/orangefs/super.c | 1 + fs/overlayfs/export.c | 2 ++ fs/smb/client/export.c | 1 + fs/squashfs/export.c | 3 ++- fs/udf/namei.c | 1 + fs/ufs/super.c | 1 + fs/xfs/xfs_export.c | 1 + include/linux/exportfs.h | 16 +++++++++------- mm/shmem.c | 1 + 29 files changed, 45 insertions(+), 9 deletions(-)
In recent years, a number of filesystems that can't present stable
filehandles have grown struct export_operations. They've mostly done
this for local use-cases (enabling open_by_handle_at() and the like).
Unfortunately, having export_operations is generally sufficient to make
a filesystem be considered exportable via nfsd, but that requires that
the server present stable filehandles.
This patchset declares a new EXPORT_OP_STABLE_HANDLES flag, adds it to
all of the filesystems that have stable filehandles, and then adds a
check in nfsd to ensure that that flag is set for any filesystem to
which it has been presented a handle. When a filesystem doesn't have
this flag, it will treat the filehandle as stale.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
Jeff Layton (29):
exportfs: add new EXPORT_OP_STABLE_HANDLES flag
tmpfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
ext4: add EXPORT_OP_STABLE_HANDLES flag to export operations
ext2: add EXPORT_OP_STABLE_HANDLES flag to export operations
erofs: add EXPORT_OP_STABLE_HANDLES flag to export operations
efs: add EXPORT_OP_STABLE_HANDLES flag to export operations
xfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
ceph: add EXPORT_OP_STABLE_HANDLES flag to export operations
btrfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
befs: add EXPORT_OP_STABLE_HANDLES flag to export operations
ufs: add EXPORT_OP_STABLE_HANDLES flag to export operations
udf: add EXPORT_OP_STABLE_HANDLES flag to export operations
affs: add EXPORT_OP_STABLE_HANDLES flag to export operations
squashfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
smb/client: add EXPORT_OP_STABLE_HANDLES flag to export operations
ovl: add EXPORT_OP_STABLE_HANDLES flag to export operations
orangefs: add EXPORT_OP_STABLE_HANDLES flag to export operations
ocfs2: add EXPORT_OP_STABLE_HANDLES flag to export operations
ntfs3: add EXPORT_OP_STABLE_HANDLES flag to export operations
nilfs2: add EXPORT_OP_STABLE_HANDLES flag to export operations
nfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
jfs: add EXPORT_OP_STABLE_HANDLES flag to export operations
jffs2: add EXPORT_OP_STABLE_HANDLES flag to export operations
isofs: add EXPORT_OP_STABLE_HANDLES flag to export operations
gfs2: add EXPORT_OP_STABLE_HANDLES flag to export operations
fuse: add EXPORT_OP_STABLE_HANDLES flag to export operations
fat: add EXPORT_OP_STABLE_HANDLES flag to export operations
f2fs: add EXPORT_OP_STABLE_HANDLES flag to export operations
nfsd: only allow filesystems that set EXPORT_OP_STABLE_HANDLES
fs/affs/namei.c | 1 +
fs/befs/linuxvfs.c | 1 +
fs/btrfs/export.c | 1 +
fs/ceph/export.c | 1 +
fs/efs/super.c | 1 +
fs/erofs/super.c | 1 +
fs/ext2/super.c | 1 +
fs/ext4/super.c | 1 +
fs/f2fs/super.c | 1 +
fs/fat/nfs.c | 2 ++
fs/fuse/inode.c | 2 ++
fs/gfs2/export.c | 1 +
fs/isofs/export.c | 1 +
fs/jffs2/super.c | 1 +
fs/jfs/super.c | 1 +
fs/nfs/export.c | 3 ++-
fs/nfsd/nfsfh.c | 4 ++++
fs/nilfs2/namei.c | 1 +
fs/ntfs3/super.c | 1 +
fs/ocfs2/export.c | 1 +
fs/orangefs/super.c | 1 +
fs/overlayfs/export.c | 2 ++
fs/smb/client/export.c | 1 +
fs/squashfs/export.c | 3 ++-
fs/udf/namei.c | 1 +
fs/ufs/super.c | 1 +
fs/xfs/xfs_export.c | 1 +
include/linux/exportfs.h | 16 +++++++++-------
mm/shmem.c | 1 +
29 files changed, 45 insertions(+), 9 deletions(-)
---
base-commit: c537e12daeecaecdcd322c56a5f70659d2de7bde
change-id: 20260114-exportfs-nfsd-12515072e9a9
Best regards,
--
Jeff Layton <jlayton@kernel.org>
On Thu, Jan 15, 2026 at 6:48 PM Jeff Layton <jlayton@kernel.org> wrote: > > In recent years, a number of filesystems that can't present stable > filehandles have grown struct export_operations. They've mostly done > this for local use-cases (enabling open_by_handle_at() and the like). > Unfortunately, having export_operations is generally sufficient to make > a filesystem be considered exportable via nfsd, but that requires that > the server present stable filehandles. Where does the term "stable file handles" come from? and what does it mean? Why not "persistent handles", which is described in NFS and SMB specs? Not to mention that EXPORT_OP_PERSISTENT_HANDLES was Acked by both Christoph and Christian: https://lore.kernel.org/linux-fsdevel/20260115-rundgang-leihgabe-12018e93c00c@brauner/ Am I missing anything? Thanks, Amir.
On Thu, 2026-01-15 at 19:17 +0100, Amir Goldstein wrote: > On Thu, Jan 15, 2026 at 6:48 PM Jeff Layton <jlayton@kernel.org> wrote: > > > > In recent years, a number of filesystems that can't present stable > > filehandles have grown struct export_operations. They've mostly done > > this for local use-cases (enabling open_by_handle_at() and the like). > > Unfortunately, having export_operations is generally sufficient to make > > a filesystem be considered exportable via nfsd, but that requires that > > the server present stable filehandles. > > Where does the term "stable file handles" come from? and what does it mean? > Why not "persistent handles", which is described in NFS and SMB specs? > > Not to mention that EXPORT_OP_PERSISTENT_HANDLES was Acked > by both Christoph and Christian: > > https://lore.kernel.org/linux-fsdevel/20260115-rundgang-leihgabe-12018e93c00c@brauner/ > > Am I missing anything? > This was Chuck's suggested name. His point was that STABLE means that the FH's don't change during the lifetime of the file. I don't much care about the flag name, so if everyone likes PERSISTENT better I'll roll with that. Also, on the ovl patch: will fix... Thanks for the review! -- Jeff Layton <jlayton@kernel.org>
On Fri, 16 Jan 2026, Jeff Layton wrote: > On Thu, 2026-01-15 at 19:17 +0100, Amir Goldstein wrote: > > On Thu, Jan 15, 2026 at 6:48 PM Jeff Layton <jlayton@kernel.org> wrote: > > > > > > In recent years, a number of filesystems that can't present stable > > > filehandles have grown struct export_operations. They've mostly done > > > this for local use-cases (enabling open_by_handle_at() and the like). > > > Unfortunately, having export_operations is generally sufficient to make > > > a filesystem be considered exportable via nfsd, but that requires that > > > the server present stable filehandles. > > > > Where does the term "stable file handles" come from? and what does it mean? > > Why not "persistent handles", which is described in NFS and SMB specs? > > > > Not to mention that EXPORT_OP_PERSISTENT_HANDLES was Acked > > by both Christoph and Christian: > > > > https://lore.kernel.org/linux-fsdevel/20260115-rundgang-leihgabe-12018e93c00c@brauner/ > > > > Am I missing anything? > > > > This was Chuck's suggested name. His point was that STABLE means that > the FH's don't change during the lifetime of the file. > > I don't much care about the flag name, so if everyone likes PERSISTENT > better I'll roll with that. I don't like PERSISTENT. I'd rather call a spade a spade. EXPORT_OP_SUPPORTS_NFS_EXPORT or EXPORT_OP_NOT_NFS_COMPATIBLE The issue here is NFS export and indirection doesn't bring any benefits. NeilBrown > > Also, on the ovl patch: will fix... > > Thanks for the review! > -- > Jeff Layton <jlayton@kernel.org> >
On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > This was Chuck's suggested name. His point was that STABLE means that > > the FH's don't change during the lifetime of the file. > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > better I'll roll with that. > > I don't like PERSISTENT. > I'd rather call a spade a spade. > > EXPORT_OP_SUPPORTS_NFS_EXPORT > or > EXPORT_OP_NOT_NFS_COMPATIBLE > > The issue here is NFS export and indirection doesn't bring any benefits. No, it absolutely is not. And the whole concept of calling something after the initial or main use is a recipe for a mess. Pick a name that conveys what the flag is about, and document those semantics well. This flag is about the fact that for a given file, as long as that file exists in the file system the handle is stable. Both stable and persistent are suitable for that, nfs is everything but. Remember nfs also support volatile file handles, and other applications might rely on this (I know of quite a few user space applications that do, but they are kinda hardwired to xfs anyway).
On Mon, 19 Jan 2026, Christoph Hellwig wrote: > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > This was Chuck's suggested name. His point was that STABLE means that > > > the FH's don't change during the lifetime of the file. > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > better I'll roll with that. > > > > I don't like PERSISTENT. > > I'd rather call a spade a spade. > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > or > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > No, it absolutely is not. And the whole concept of calling something > after the initial or main use is a recipe for a mess. We are calling it for it's only use. If there was ever another use, we could change the name if that made sense. It is not a public name, it is easy to change. > > Pick a name that conveys what the flag is about, and document those > semantics well. This flag is about the fact that for a given file, > as long as that file exists in the file system the handle is stable. > Both stable and persistent are suitable for that, nfs is everything > but. My understanding is that kernfs would not get the flag. kernfs filehandles do not change as long as the file exist. But this is not sufficient for the files to be usefully exported. I suspect kernfs does re-use filehandles relatively soon after the file/object has been destroyed. Maybe that is the real problem here: filehandle reuse, not filehandle stability. Jeff: could you please give details (and preserve them in future cover letters) of which filesystems are known to have problems and what exactly those problems are? > > Remember nfs also support volatile file handles, and other applications > might rely on this (I know of quite a few user space applications that > do, but they are kinda hardwired to xfs anyway). The NFS protocol supports volatile file handles. knfsd does not. So maybe EXPORT_OP_NOT_NFSD_COMPATIBLE might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. (I prefer opt-out rather than opt-in because nfsd export was the original purpose of export_operations, but it isn't something I would fight for) NeilBrown
On Mon, 2026-01-19 at 18:22 +1100, NeilBrown wrote: > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > the FH's don't change during the lifetime of the file. > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > better I'll roll with that. > > > > > > I don't like PERSISTENT. > > > I'd rather call a spade a spade. > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > or > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > No, it absolutely is not. And the whole concept of calling something > > after the initial or main use is a recipe for a mess. > > We are calling it for it's only use. If there was ever another use, we > could change the name if that made sense. It is not a public name, it > is easy to change. > > > > > Pick a name that conveys what the flag is about, and document those > > semantics well. This flag is about the fact that for a given file, > > as long as that file exists in the file system the handle is stable. > > Both stable and persistent are suitable for that, nfs is everything > > but. > > My understanding is that kernfs would not get the flag. > kernfs filehandles do not change as long as the file exist. > But this is not sufficient for the files to be usefully exported. > > I suspect kernfs does re-use filehandles relatively soon after the > file/object has been destroyed. Maybe that is the real problem here: > filehandle reuse, not filehandle stability. > > Jeff: could you please give details (and preserve them in future cover > letters) of which filesystems are known to have problems and what > exactly those problems are? > The only one I'm aware of at the moment is cgroupfs. sb->s_export_op gets populated on that fs, so it's exportable via nfsd. Its fs does not show up under the v4 pseudoroot, but you can mount /sys/fs/cgroup with v3 if it's specifically exported. Directories seem to work properly (I can ls and cd around in there), but the files all come back empty when read. I didn't play around with trying to write to any of them. I didn't do a lot of investigation here, since I didn't actually expect it to work properly. > > > > Remember nfs also support volatile file handles, and other applications > > might rely on this (I know of quite a few user space applications that > > do, but they are kinda hardwired to xfs anyway). > > The NFS protocol supports volatile file handles. knfsd does not. > So maybe > EXPORT_OP_NOT_NFSD_COMPATIBLE > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > (I prefer opt-out rather than opt-in because nfsd export was the > original purpose of export_operations, but it isn't something > I would fight for) > The whole point of this is to make nfsd export an opt-in in. Exporting via NFS is something that filesystem developers need to consider carefully. cgroupfs is not that big a worry. My bigger concern is new filesystems being added that do add this for local access and become exportable without vetting that they will actually work correctly (well, that and FUSE exportability, which is a bigger can of worms). There is another approach we could consider: We could move the export_operations that are needed for local filehandle access into a new struct filehandle_operations or something. It does mean adding an extra pointer to the super_block for the new operations vector, but it might be more intuitive. -- Jeff Layton <jlayton@kernel.org>
On Mon, 19 Jan 2026, Jeff Layton wrote: > > There is another approach we could consider: We could move the > export_operations that are needed for local filehandle access into a > new struct filehandle_operations or something. It does mean adding an > extra pointer to the super_block for the new operations vector, but it > might be more intuitive. If that sort of change were seen to be valuable, I would rather not create a filehandle_operations but merge some (or all) of export_operations into super_operations. Maybe then the existence of s_export_op would return to mean "NFS export supported" even if it is empty. Thanks, NeilBrown
On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > the FH's don't change during the lifetime of the file. > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > better I'll roll with that. > > > > > > I don't like PERSISTENT. > > > I'd rather call a spade a spade. > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > or > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > No, it absolutely is not. And the whole concept of calling something > > after the initial or main use is a recipe for a mess. > > We are calling it for it's only use. If there was ever another use, we > could change the name if that made sense. It is not a public name, it > is easy to change. > > > > > Pick a name that conveys what the flag is about, and document those > > semantics well. This flag is about the fact that for a given file, > > as long as that file exists in the file system the handle is stable. > > Both stable and persistent are suitable for that, nfs is everything > > but. > > My understanding is that kernfs would not get the flag. > kernfs filehandles do not change as long as the file exist. > But this is not sufficient for the files to be usefully exported. > > I suspect kernfs does re-use filehandles relatively soon after the > file/object has been destroyed. Maybe that is the real problem here: > filehandle reuse, not filehandle stability. > > Jeff: could you please give details (and preserve them in future cover > letters) of which filesystems are known to have problems and what > exactly those problems are? > > > > > Remember nfs also support volatile file handles, and other applications > > might rely on this (I know of quite a few user space applications that > > do, but they are kinda hardwired to xfs anyway). > > The NFS protocol supports volatile file handles. knfsd does not. > So maybe > EXPORT_OP_NOT_NFSD_COMPATIBLE > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > (I prefer opt-out rather than opt-in because nfsd export was the > original purpose of export_operations, but it isn't something > I would fight for) I prefer one of the variants you proposed here but I don't particularly care. It's not a hill worth dying on. So if Christoph insists on the other name then I say let's just go with it.
On Mon, 19 Jan 2026, Christian Brauner wrote: > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > better I'll roll with that. > > > > > > > > I don't like PERSISTENT. > > > > I'd rather call a spade a spade. > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > or > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > No, it absolutely is not. And the whole concept of calling something > > > after the initial or main use is a recipe for a mess. > > > > We are calling it for it's only use. If there was ever another use, we > > could change the name if that made sense. It is not a public name, it > > is easy to change. > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > semantics well. This flag is about the fact that for a given file, > > > as long as that file exists in the file system the handle is stable. > > > Both stable and persistent are suitable for that, nfs is everything > > > but. > > > > My understanding is that kernfs would not get the flag. > > kernfs filehandles do not change as long as the file exist. > > But this is not sufficient for the files to be usefully exported. > > > > I suspect kernfs does re-use filehandles relatively soon after the > > file/object has been destroyed. Maybe that is the real problem here: > > filehandle reuse, not filehandle stability. > > > > Jeff: could you please give details (and preserve them in future cover > > letters) of which filesystems are known to have problems and what > > exactly those problems are? > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > might rely on this (I know of quite a few user space applications that > > > do, but they are kinda hardwired to xfs anyway). > > > > The NFS protocol supports volatile file handles. knfsd does not. > > So maybe > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > (I prefer opt-out rather than opt-in because nfsd export was the > > original purpose of export_operations, but it isn't something > > I would fight for) > > I prefer one of the variants you proposed here but I don't particularly > care. It's not a hill worth dying on. So if Christoph insists on the > other name then I say let's just go with it. > This sounds like you are recommending that we give in to bullying. I would rather the decision be made based on the facts of the case, not the opinions that are stated most bluntly. I actually think that what Christoph wants is actually quite different from what Jeff wants, and maybe two flags are needed. But I don't yet have a clear understanding of what Christoph wants, so I cannot be sure. NeilBrown
On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > On Mon, 19 Jan 2026, Christian Brauner wrote: > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > better I'll roll with that. > > > > > > > > > > I don't like PERSISTENT. > > > > > I'd rather call a spade a spade. > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > or > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > after the initial or main use is a recipe for a mess. > > > > > > We are calling it for it's only use. If there was ever another use, we > > > could change the name if that made sense. It is not a public name, it > > > is easy to change. > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > semantics well. This flag is about the fact that for a given file, > > > > as long as that file exists in the file system the handle is stable. > > > > Both stable and persistent are suitable for that, nfs is everything > > > > but. > > > > > > My understanding is that kernfs would not get the flag. > > > kernfs filehandles do not change as long as the file exist. > > > But this is not sufficient for the files to be usefully exported. > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > file/object has been destroyed. Maybe that is the real problem here: > > > filehandle reuse, not filehandle stability. > > > > > > Jeff: could you please give details (and preserve them in future cover > > > letters) of which filesystems are known to have problems and what > > > exactly those problems are? > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > might rely on this (I know of quite a few user space applications that > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > So maybe > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > original purpose of export_operations, but it isn't something > > > I would fight for) > > > > I prefer one of the variants you proposed here but I don't particularly > > care. It's not a hill worth dying on. So if Christoph insists on the > > other name then I say let's just go with it. > > > > This sounds like you are recommending that we give in to bullying. > I would rather the decision be made based on the facts of the case, not > the opinions that are stated most bluntly. > > I actually think that what Christoph wants is actually quite different > from what Jeff wants, and maybe two flags are needed. But I don't yet > have a clear understanding of what Christoph wants, so I cannot be sure. I've tried to indirectly ask whether you would be willing to compromise here or whether you want to insist on your alternative name. Apparently that didn't come through. I'm unclear what your goal is in suggesting that I recommend "we" give into bullying. All it achieved was to further derail this thread. I also think it's not very helpful at v6 of the discussion to start figuring out what the actual key rift between Jeff's and Christoph's position is. If you've figured it out and gotten an agreement and this is already in, send a follow-up series. If I don't like it I can always just rename it to EXPORT_OP_DONKEY_KONG when applying.
On Tue, Jan 20, 2026 at 10:04:02AM +0100, Christian Brauner wrote: > > I actually think that what Christoph wants is actually quite different > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > have a clear understanding of what Christoph wants, so I cannot be sure. > > I've tried to indirectly ask whether you would be willing to compromise > here or whether you want to insist on your alternative name. Apparently > that didn't come through. Btw, I don't think the name is the primary problem, as we seem to disagree even about the problem space. The current patch series from Jeff helps with the stable handle problem, which is an important one, although maybe not the one you and Amir care about most. I care about it most, because the addition of unstable handles caused problems and I really want that fixed before it spreads further, and I think anything mentioning NFS in that is factually wrong. If we need additional flags to work around other issues (as in the list compiled by Neil) I'd still prefer them to be named about what issues they deal with, but folks get too tired of that I could probably with a "NFSD get the f^&&& out" name if we'd just keep shouting at each other otherwise.
On Tue, 20 Jan 2026, Christian Brauner wrote: > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > On Mon, 19 Jan 2026, Christian Brauner wrote: > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > > better I'll roll with that. > > > > > > > > > > > > I don't like PERSISTENT. > > > > > > I'd rather call a spade a spade. > > > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > > or > > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > > after the initial or main use is a recipe for a mess. > > > > > > > > We are calling it for it's only use. If there was ever another use, we > > > > could change the name if that made sense. It is not a public name, it > > > > is easy to change. > > > > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > > semantics well. This flag is about the fact that for a given file, > > > > > as long as that file exists in the file system the handle is stable. > > > > > Both stable and persistent are suitable for that, nfs is everything > > > > > but. > > > > > > > > My understanding is that kernfs would not get the flag. > > > > kernfs filehandles do not change as long as the file exist. > > > > But this is not sufficient for the files to be usefully exported. > > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > > file/object has been destroyed. Maybe that is the real problem here: > > > > filehandle reuse, not filehandle stability. > > > > > > > > Jeff: could you please give details (and preserve them in future cover > > > > letters) of which filesystems are known to have problems and what > > > > exactly those problems are? > > > > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > > might rely on this (I know of quite a few user space applications that > > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > > So maybe > > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > > original purpose of export_operations, but it isn't something > > > > I would fight for) > > > > > > I prefer one of the variants you proposed here but I don't particularly > > > care. It's not a hill worth dying on. So if Christoph insists on the > > > other name then I say let's just go with it. > > > > > > > This sounds like you are recommending that we give in to bullying. > > I would rather the decision be made based on the facts of the case, not > > the opinions that are stated most bluntly. > > > > I actually think that what Christoph wants is actually quite different > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > have a clear understanding of what Christoph wants, so I cannot be sure. > > I've tried to indirectly ask whether you would be willing to compromise > here or whether you want to insist on your alternative name. Apparently > that didn't come through. This would be the "not a hill worthy dying on" part of your statement. I think I see that implication now. But no, I don't think compromise is relevant. I think the problem statement as originally given by Jeff is misleading, and people have been misled to an incorrect name. > > I'm unclear what your goal is in suggesting that I recommend "we" give > into bullying. All it achieved was to further derail this thread. > The "We" is the same as the "us" in "let's just go with it". > I also think it's not very helpful at v6 of the discussion to start > figuring out what the actual key rift between Jeff's and Christoph's > position is. If you've figured it out and gotten an agreement and this > is already in, send a follow-up series. v6? v2 was posted today. But maybe you are referring the some other precursors. The introductory statement in v2 is This patchset adds a flag that indicates whether the filesystem supports stable filehandles (i.e. that they don't change over the life of the file). It then makes any filesystem that doesn't set that flag ineligible for nfsd export. Nobody else questioned the validity of that. I do. No evidence was given that there are *any* filesystems that don't support stable filehandles. The only filesystem mentioned is cgroups and it DOES provide stable filehandles. NeilBrown
On Tue, Jan 20, 2026 at 08:41:50PM +1100, NeilBrown wrote: > On Tue, 20 Jan 2026, Christian Brauner wrote: > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > > On Mon, 19 Jan 2026, Christian Brauner wrote: > > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > > > better I'll roll with that. > > > > > > > > > > > > > > I don't like PERSISTENT. > > > > > > > I'd rather call a spade a spade. > > > > > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > > > or > > > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > > > after the initial or main use is a recipe for a mess. > > > > > > > > > > We are calling it for it's only use. If there was ever another use, we > > > > > could change the name if that made sense. It is not a public name, it > > > > > is easy to change. > > > > > > > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > > > semantics well. This flag is about the fact that for a given file, > > > > > > as long as that file exists in the file system the handle is stable. > > > > > > Both stable and persistent are suitable for that, nfs is everything > > > > > > but. > > > > > > > > > > My understanding is that kernfs would not get the flag. > > > > > kernfs filehandles do not change as long as the file exist. > > > > > But this is not sufficient for the files to be usefully exported. > > > > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > > > file/object has been destroyed. Maybe that is the real problem here: > > > > > filehandle reuse, not filehandle stability. > > > > > > > > > > Jeff: could you please give details (and preserve them in future cover > > > > > letters) of which filesystems are known to have problems and what > > > > > exactly those problems are? > > > > > > > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > > > might rely on this (I know of quite a few user space applications that > > > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > > > So maybe > > > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > > > original purpose of export_operations, but it isn't something > > > > > I would fight for) > > > > > > > > I prefer one of the variants you proposed here but I don't particularly > > > > care. It's not a hill worth dying on. So if Christoph insists on the > > > > other name then I say let's just go with it. > > > > > > > > > > This sounds like you are recommending that we give in to bullying. > > > I would rather the decision be made based on the facts of the case, not > > > the opinions that are stated most bluntly. > > > > > > I actually think that what Christoph wants is actually quite different > > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > > have a clear understanding of what Christoph wants, so I cannot be sure. > > > > I've tried to indirectly ask whether you would be willing to compromise > > here or whether you want to insist on your alternative name. Apparently > > that didn't come through. > > This would be the "not a hill worthy dying on" part of your statement. > I think I see that implication now. > But no, I don't think compromise is relevant. I think the problem > statement as originally given by Jeff is misleading, and people have > been misled to an incorrect name. > > > > > I'm unclear what your goal is in suggesting that I recommend "we" give > > into bullying. All it achieved was to further derail this thread. > > > > The "We" is the same as the "us" in "let's just go with it". > > > > I also think it's not very helpful at v6 of the discussion to start > > figuring out what the actual key rift between Jeff's and Christoph's > > position is. If you've figured it out and gotten an agreement and this > > is already in, send a follow-up series. > > v6? v2 was posted today. But maybe you are referring the some other > precursors. > > The introductory statement in v2 is > > This patchset adds a flag that indicates whether the filesystem supports > stable filehandles (i.e. that they don't change over the life of the > file). It then makes any filesystem that doesn't set that flag > ineligible for nfsd export. > > Nobody else questioned the validity of that. I do. > No evidence was given that there are *any* filesystems that don't > support stable filehandles. The only filesystem mentioned is cgroups > and it DOES provide stable filehandles. Oh yes we did. And this is a merry-go-round. It is very much fine for a filesystems to support file handles without wanting to support exporting via NFS. That is especially true for in-kernel pseudo filesystems. As I've said before multiple times I want a way to allow filesystems such as pidfs and nsfs to use file handles without supporting export. Whatever that fscking flag is called at this point I fundamentally don't care. And we are reliving the same arguments over and over. I will _hard NAK_ anything that starts mandating that export of filesystems must be allowed simply because their file handles fit export criteria. I do not care whether pidfs or nsfs file handles fit the bill. They will not be exported.
On Tue, Jan 20, 2026 at 11:31:54AM +0100, Christian Brauner wrote: > It is very much fine for a filesystems to support file handles without > wanting to support exporting via NFS. That is especially true for > in-kernel pseudo filesystems. I'm still amazed at this statement. "Wanting to export" is not something for the file system to decide on in any kind of sane layering. The file systems exports features, and layers higher in the stack make use of it. We just need to be precise in describing In-kernel code will then we so nice to respect it. But for userspace even then all bets are off.
On Tue, 2026-01-20 at 11:31 +0100, Christian Brauner wrote: > On Tue, Jan 20, 2026 at 08:41:50PM +1100, NeilBrown wrote: > > On Tue, 20 Jan 2026, Christian Brauner wrote: > > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > > > On Mon, 19 Jan 2026, Christian Brauner wrote: > > > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > > > > better I'll roll with that. > > > > > > > > > > > > > > > > I don't like PERSISTENT. > > > > > > > > I'd rather call a spade a spade. > > > > > > > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > > > > or > > > > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > > > > after the initial or main use is a recipe for a mess. > > > > > > > > > > > > We are calling it for it's only use. If there was ever another use, we > > > > > > could change the name if that made sense. It is not a public name, it > > > > > > is easy to change. > > > > > > > > > > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > > > > semantics well. This flag is about the fact that for a given file, > > > > > > > as long as that file exists in the file system the handle is stable. > > > > > > > Both stable and persistent are suitable for that, nfs is everything > > > > > > > but. > > > > > > > > > > > > My understanding is that kernfs would not get the flag. > > > > > > kernfs filehandles do not change as long as the file exist. > > > > > > But this is not sufficient for the files to be usefully exported. > > > > > > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > > > > file/object has been destroyed. Maybe that is the real problem here: > > > > > > filehandle reuse, not filehandle stability. > > > > > > > > > > > > Jeff: could you please give details (and preserve them in future cover > > > > > > letters) of which filesystems are known to have problems and what > > > > > > exactly those problems are? > > > > > > > > > > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > > > > might rely on this (I know of quite a few user space applications that > > > > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > > > > So maybe > > > > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > > > > original purpose of export_operations, but it isn't something > > > > > > I would fight for) > > > > > > > > > > I prefer one of the variants you proposed here but I don't particularly > > > > > care. It's not a hill worth dying on. So if Christoph insists on the > > > > > other name then I say let's just go with it. > > > > > > > > > > > > > This sounds like you are recommending that we give in to bullying. > > > > I would rather the decision be made based on the facts of the case, not > > > > the opinions that are stated most bluntly. > > > > > > > > I actually think that what Christoph wants is actually quite different > > > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > > > have a clear understanding of what Christoph wants, so I cannot be sure. > > > > > > I've tried to indirectly ask whether you would be willing to compromise > > > here or whether you want to insist on your alternative name. Apparently > > > that didn't come through. > > > > This would be the "not a hill worthy dying on" part of your statement. > > I think I see that implication now. > > But no, I don't think compromise is relevant. I think the problem > > statement as originally given by Jeff is misleading, and people have > > been misled to an incorrect name. > > > > > > > > I'm unclear what your goal is in suggesting that I recommend "we" give > > > into bullying. All it achieved was to further derail this thread. > > > > > > > The "We" is the same as the "us" in "let's just go with it". > > > > > > > I also think it's not very helpful at v6 of the discussion to start > > > figuring out what the actual key rift between Jeff's and Christoph's > > > position is. If you've figured it out and gotten an agreement and this > > > is already in, send a follow-up series. > > > > v6? v2 was posted today. But maybe you are referring the some other > > precursors. > > > > The introductory statement in v2 is > > > > This patchset adds a flag that indicates whether the filesystem supports > > stable filehandles (i.e. that they don't change over the life of the > > file). It then makes any filesystem that doesn't set that flag > > ineligible for nfsd export. > > > > Nobody else questioned the validity of that. I do. > > No evidence was given that there are *any* filesystems that don't > > support stable filehandles. The only filesystem mentioned is cgroups > > and it DOES provide stable filehandles. > Across reboot? Not really. It's quite possible that we may end up with the same "id" numbers in cgroupfs on a new incarnation of the filesystem after a reboot. The files in there are not the same ones as the ones before, but their filehandles may match because kernfs doesn't factor in an i_generation number. Could we fix it by adding a random i_generation value or something? Possibly, but there really isn't a good use-case that I can see for allowing cgroupfs to be exported via nfsd. Best to disallow it until someone comes up with one. > Oh yes we did. And this is a merry-go-round. > > It is very much fine for a filesystems to support file handles without > wanting to support exporting via NFS. That is especially true for > in-kernel pseudo filesystems. > > As I've said before multiple times I want a way to allow filesystems > such as pidfs and nsfs to use file handles without supporting export. > Whatever that fscking flag is called at this point I fundamentally don't > care. And we are reliving the same arguments over and over. > > I will _hard NAK_ anything that starts mandating that export of > filesystems must be allowed simply because their file handles fit export > criteria. I do not care whether pidfs or nsfs file handles fit the bill. > They will not be exported. I don't really care what we call the flag. I do care a little about what its semantics are, but the effect should be to ensure that fs maintainers make a conscious decision about whether nfsd export should be allowed on the filesystem. At this point, maybe we should just go with Neil's EXPORT_OP_SUPPORTS_NFS_EXPORT or something. It's much more arbitrary, than trying to base this on criteria about filehandle stability, but it would give us the effect we want. -- Jeff Layton <jlayton@kernel.org>
On Tue, Jan 20, 2026 at 07:50:32AM -0500, Jeff Layton wrote: > > > and it DOES provide stable filehandles. > > > > Across reboot? Not really. > > It's quite possible that we may end up with the same "id" numbers in > cgroupfs on a new incarnation of the filesystem after a reboot. The > files in there are not the same ones as the ones before, but their > filehandles may match because kernfs doesn't factor in an i_generation > number. > > Could we fix it by adding a random i_generation value or something? > Possibly, but there really isn't a good use-case that I can see for > allowing cgroupfs to be exported via nfsd. Best to disallow it until > someone comes up with one. Yeah. And I'm pretty sure everyone here will push back hard on any such use case.
On Tue, Jan 20, 2026 at 07:50:32AM -0500, Jeff Layton wrote: > At this point, maybe we should just go with Neil's > EXPORT_OP_SUPPORTS_NFS_EXPORT or something. It's much more arbitrary, > than trying to base this on criteria about filehandle stability, but it > would give us the effect we want. We'll still need a stable handles flag, and expose it to userspace to avoid applications being tricked into using broken non-stable file handles. We should have caught that when they were added, but didn't unfortunately.
On Tue, 20 Jan 2026, Jeff Layton wrote: > On Tue, 2026-01-20 at 11:31 +0100, Christian Brauner wrote: > > On Tue, Jan 20, 2026 at 08:41:50PM +1100, NeilBrown wrote: > > > On Tue, 20 Jan 2026, Christian Brauner wrote: > > > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > > > > On Mon, 19 Jan 2026, Christian Brauner wrote: > > > > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > > > > > better I'll roll with that. > > > > > > > > > > > > > > > > > > I don't like PERSISTENT. > > > > > > > > > I'd rather call a spade a spade. > > > > > > > > > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > > > > > or > > > > > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > > > > > after the initial or main use is a recipe for a mess. > > > > > > > > > > > > > > We are calling it for it's only use. If there was ever another use, we > > > > > > > could change the name if that made sense. It is not a public name, it > > > > > > > is easy to change. > > > > > > > > > > > > > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > > > > > semantics well. This flag is about the fact that for a given file, > > > > > > > > as long as that file exists in the file system the handle is stable. > > > > > > > > Both stable and persistent are suitable for that, nfs is everything > > > > > > > > but. > > > > > > > > > > > > > > My understanding is that kernfs would not get the flag. > > > > > > > kernfs filehandles do not change as long as the file exist. > > > > > > > But this is not sufficient for the files to be usefully exported. > > > > > > > > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > > > > > file/object has been destroyed. Maybe that is the real problem here: > > > > > > > filehandle reuse, not filehandle stability. > > > > > > > > > > > > > > Jeff: could you please give details (and preserve them in future cover > > > > > > > letters) of which filesystems are known to have problems and what > > > > > > > exactly those problems are? > > > > > > > > > > > > > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > > > > > might rely on this (I know of quite a few user space applications that > > > > > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > > > > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > > > > > So maybe > > > > > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > > > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > > > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > > > > > original purpose of export_operations, but it isn't something > > > > > > > I would fight for) > > > > > > > > > > > > I prefer one of the variants you proposed here but I don't particularly > > > > > > care. It's not a hill worth dying on. So if Christoph insists on the > > > > > > other name then I say let's just go with it. > > > > > > > > > > > > > > > > This sounds like you are recommending that we give in to bullying. > > > > > I would rather the decision be made based on the facts of the case, not > > > > > the opinions that are stated most bluntly. > > > > > > > > > > I actually think that what Christoph wants is actually quite different > > > > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > > > > have a clear understanding of what Christoph wants, so I cannot be sure. > > > > > > > > I've tried to indirectly ask whether you would be willing to compromise > > > > here or whether you want to insist on your alternative name. Apparently > > > > that didn't come through. > > > > > > This would be the "not a hill worthy dying on" part of your statement. > > > I think I see that implication now. > > > But no, I don't think compromise is relevant. I think the problem > > > statement as originally given by Jeff is misleading, and people have > > > been misled to an incorrect name. > > > > > > > > > > > I'm unclear what your goal is in suggesting that I recommend "we" give > > > > into bullying. All it achieved was to further derail this thread. > > > > > > > > > > The "We" is the same as the "us" in "let's just go with it". > > > > > > > > > > I also think it's not very helpful at v6 of the discussion to start > > > > figuring out what the actual key rift between Jeff's and Christoph's > > > > position is. If you've figured it out and gotten an agreement and this > > > > is already in, send a follow-up series. > > > > > > v6? v2 was posted today. But maybe you are referring the some other > > > precursors. > > > > > > The introductory statement in v2 is > > > > > > This patchset adds a flag that indicates whether the filesystem supports > > > stable filehandles (i.e. that they don't change over the life of the > > > file). It then makes any filesystem that doesn't set that flag > > > ineligible for nfsd export. > > > > > > Nobody else questioned the validity of that. I do. > > > No evidence was given that there are *any* filesystems that don't > > > support stable filehandles. The only filesystem mentioned is cgroups > > > and it DOES provide stable filehandles. > > > > Across reboot? Not really. Across reboot all the files are deleted and then new ones are created. So there is nothing that needs to be stable. > > It's quite possible that we may end up with the same "id" numbers in > cgroupfs on a new incarnation of the filesystem after a reboot. The > files in there are not the same ones as the ones before, but their > filehandles may match because kernfs doesn't factor in an i_generation > number. That is is about filehandle re-use, not about filehandle stability. > > Could we fix it by adding a random i_generation value or something? > Possibly, but there really isn't a good use-case that I can see for > allowing cgroupfs to be exported via nfsd. Best to disallow it until > someone comes up with one. 100% agree. > > > Oh yes we did. And this is a merry-go-round. > > > > It is very much fine for a filesystems to support file handles without > > wanting to support exporting via NFS. That is especially true for > > in-kernel pseudo filesystems. > > > > As I've said before multiple times I want a way to allow filesystems > > such as pidfs and nsfs to use file handles without supporting export. > > Whatever that fscking flag is called at this point I fundamentally don't > > care. And we are reliving the same arguments over and over. > > > > I will _hard NAK_ anything that starts mandating that export of > > filesystems must be allowed simply because their file handles fit export > > criteria. I do not care whether pidfs or nsfs file handles fit the bill. > > They will not be exported. > > I don't really care what we call the flag. I do care a little about > what its semantics are, but the effect should be to ensure that fs > maintainers make a conscious decision about whether nfsd export should > be allowed on the filesystem. Why do you need a conscious decision so much that you want to try to force it. Of course we want conscious decisions and hope they are always made, but trying to manipulate people to doing things often fails. How sure are you that fs developers won't just copy-paste some other implementation and not think about the implications of the flag? What is the down side? What is the harm from allowing export (should the admin attempt it)? If there were serious security concerns - then sure, make it harder to do the dangerous thing. But if it is just "it doesn't make sense", then there is no harm in letting people get away with not reading the documentation, and fixing things later as complaints arrive. That is generally how the process works. But if you really really want to set this new flag on almost every export_operations, can I ask that you please set it on EVERY export operations, then allow maintainers to remove it as they see fit. I think that approach would be much easier to review. With your current series it is non-trivial to determine which export_operations you have chosen not to set the flag on. If you had one patch that set it everywhere, then individual patches to remove it, that would be a lot easier to review. Thanks, NeilBrown > > At this point, maybe we should just go with Neil's > EXPORT_OP_SUPPORTS_NFS_EXPORT or something. It's much more arbitrary, > than trying to base this on criteria about filehandle stability, but it > would give us the effect we want. > > -- > Jeff Layton <jlayton@kernel.org> >
On Wed, 2026-01-21 at 14:58 +1100, NeilBrown wrote: > On Tue, 20 Jan 2026, Jeff Layton wrote: > > On Tue, 2026-01-20 at 11:31 +0100, Christian Brauner wrote: > > > On Tue, Jan 20, 2026 at 08:41:50PM +1100, NeilBrown wrote: > > > > On Tue, 20 Jan 2026, Christian Brauner wrote: > > > > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > > > > > On Mon, 19 Jan 2026, Christian Brauner wrote: > > > > > > > On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > > > > > > > > On Mon, 19 Jan 2026, Christoph Hellwig wrote: > > > > > > > > > On Mon, Jan 19, 2026 at 10:23:13AM +1100, NeilBrown wrote: > > > > > > > > > > > This was Chuck's suggested name. His point was that STABLE means that > > > > > > > > > > > the FH's don't change during the lifetime of the file. > > > > > > > > > > > > > > > > > > > > > > I don't much care about the flag name, so if everyone likes PERSISTENT > > > > > > > > > > > better I'll roll with that. > > > > > > > > > > > > > > > > > > > > I don't like PERSISTENT. > > > > > > > > > > I'd rather call a spade a spade. > > > > > > > > > > > > > > > > > > > > EXPORT_OP_SUPPORTS_NFS_EXPORT > > > > > > > > > > or > > > > > > > > > > EXPORT_OP_NOT_NFS_COMPATIBLE > > > > > > > > > > > > > > > > > > > > The issue here is NFS export and indirection doesn't bring any benefits. > > > > > > > > > > > > > > > > > > No, it absolutely is not. And the whole concept of calling something > > > > > > > > > after the initial or main use is a recipe for a mess. > > > > > > > > > > > > > > > > We are calling it for it's only use. If there was ever another use, we > > > > > > > > could change the name if that made sense. It is not a public name, it > > > > > > > > is easy to change. > > > > > > > > > > > > > > > > > > > > > > > > > > Pick a name that conveys what the flag is about, and document those > > > > > > > > > semantics well. This flag is about the fact that for a given file, > > > > > > > > > as long as that file exists in the file system the handle is stable. > > > > > > > > > Both stable and persistent are suitable for that, nfs is everything > > > > > > > > > but. > > > > > > > > > > > > > > > > My understanding is that kernfs would not get the flag. > > > > > > > > kernfs filehandles do not change as long as the file exist. > > > > > > > > But this is not sufficient for the files to be usefully exported. > > > > > > > > > > > > > > > > I suspect kernfs does re-use filehandles relatively soon after the > > > > > > > > file/object has been destroyed. Maybe that is the real problem here: > > > > > > > > filehandle reuse, not filehandle stability. > > > > > > > > > > > > > > > > Jeff: could you please give details (and preserve them in future cover > > > > > > > > letters) of which filesystems are known to have problems and what > > > > > > > > exactly those problems are? > > > > > > > > > > > > > > > > > > > > > > > > > > Remember nfs also support volatile file handles, and other applications > > > > > > > > > might rely on this (I know of quite a few user space applications that > > > > > > > > > do, but they are kinda hardwired to xfs anyway). > > > > > > > > > > > > > > > > The NFS protocol supports volatile file handles. knfsd does not. > > > > > > > > So maybe > > > > > > > > EXPORT_OP_NOT_NFSD_COMPATIBLE > > > > > > > > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > > > > > > > > (I prefer opt-out rather than opt-in because nfsd export was the > > > > > > > > original purpose of export_operations, but it isn't something > > > > > > > > I would fight for) > > > > > > > > > > > > > > I prefer one of the variants you proposed here but I don't particularly > > > > > > > care. It's not a hill worth dying on. So if Christoph insists on the > > > > > > > other name then I say let's just go with it. > > > > > > > > > > > > > > > > > > > This sounds like you are recommending that we give in to bullying. > > > > > > I would rather the decision be made based on the facts of the case, not > > > > > > the opinions that are stated most bluntly. > > > > > > > > > > > > I actually think that what Christoph wants is actually quite different > > > > > > from what Jeff wants, and maybe two flags are needed. But I don't yet > > > > > > have a clear understanding of what Christoph wants, so I cannot be sure. > > > > > > > > > > I've tried to indirectly ask whether you would be willing to compromise > > > > > here or whether you want to insist on your alternative name. Apparently > > > > > that didn't come through. > > > > > > > > This would be the "not a hill worthy dying on" part of your statement. > > > > I think I see that implication now. > > > > But no, I don't think compromise is relevant. I think the problem > > > > statement as originally given by Jeff is misleading, and people have > > > > been misled to an incorrect name. > > > > > > > > > > > > > > I'm unclear what your goal is in suggesting that I recommend "we" give > > > > > into bullying. All it achieved was to further derail this thread. > > > > > > > > > > > > > The "We" is the same as the "us" in "let's just go with it". > > > > > > > > > > > > > I also think it's not very helpful at v6 of the discussion to start > > > > > figuring out what the actual key rift between Jeff's and Christoph's > > > > > position is. If you've figured it out and gotten an agreement and this > > > > > is already in, send a follow-up series. > > > > > > > > v6? v2 was posted today. But maybe you are referring the some other > > > > precursors. > > > > > > > > The introductory statement in v2 is > > > > > > > > This patchset adds a flag that indicates whether the filesystem supports > > > > stable filehandles (i.e. that they don't change over the life of the > > > > file). It then makes any filesystem that doesn't set that flag > > > > ineligible for nfsd export. > > > > > > > > Nobody else questioned the validity of that. I do. > > > > No evidence was given that there are *any* filesystems that don't > > > > support stable filehandles. The only filesystem mentioned is cgroups > > > > and it DOES provide stable filehandles. > > > > > > > Across reboot? Not really. > > Across reboot all the files are deleted and then new ones are created. > So there is nothing that needs to be stable. > > > > > It's quite possible that we may end up with the same "id" numbers in > > cgroupfs on a new incarnation of the filesystem after a reboot. The > > files in there are not the same ones as the ones before, but their > > filehandles may match because kernfs doesn't factor in an i_generation > > number. > > That is is about filehandle re-use, not about filehandle stability. > > > > > Could we fix it by adding a random i_generation value or something? > > Possibly, but there really isn't a good use-case that I can see for > > allowing cgroupfs to be exported via nfsd. Best to disallow it until > > someone comes up with one. > > 100% agree. > > > > > > Oh yes we did. And this is a merry-go-round. > > > > > > It is very much fine for a filesystems to support file handles without > > > wanting to support exporting via NFS. That is especially true for > > > in-kernel pseudo filesystems. > > > > > > As I've said before multiple times I want a way to allow filesystems > > > such as pidfs and nsfs to use file handles without supporting export. > > > Whatever that fscking flag is called at this point I fundamentally don't > > > care. And we are reliving the same arguments over and over. > > > > > > I will _hard NAK_ anything that starts mandating that export of > > > filesystems must be allowed simply because their file handles fit export > > > criteria. I do not care whether pidfs or nsfs file handles fit the bill. > > > They will not be exported. > > > > I don't really care what we call the flag. I do care a little about > > what its semantics are, but the effect should be to ensure that fs > > maintainers make a conscious decision about whether nfsd export should > > be allowed on the filesystem. > > Why do you need a conscious decision so much that you want to try to > force it. As I said before, filesystems are growing export_operations for other reasons than nfs export. I simply want to the fs maintainers to take a conscious step to say "yes, this should be available via nfsd if it's exported". Hopefully they'll also validate that it actually _works_ too. > Of course we want conscious decisions and hope they are always made, but > trying to manipulate people to doing things often fails. How sure are > you that fs developers won't just copy-paste some other implementation > and not think about the implications of the flag? > > What is the down side? What is the harm from allowing export (should the > admin attempt it)? > If there were serious security concerns - then sure, make it harder to > do the dangerous thing. > But if it is just "it doesn't make sense", then there is no harm in > letting people get away with not reading the documentation, and fixing > things later as complaints arrive. That is generally how the process > works. > Some of the more exotic filesystems could end up causing kernel panics or something if exported when they haven't been validated to actually work with nfsd. That's mostly FUD though -- I don't have any examples. > But if you really really want to set this new flag on almost every > export_operations, can I ask that you please set it on EVERY export > operations, then allow maintainers to remove it as they see fit. > I think that approach would be much easier to review. > We could probably do that, but I think the main ones that excludes it are kernfs, pidfs and nsfs. ovl and fuse also have export ops in certain modes that exclude NFS access, so the flag was left off of those as well. > With your current series it is non-trivial to determine which > export_operations you have chosen not to set the flag on. If you had > one patch that set it everywhere, then individual patches to remove it, > that would be a lot easier to review. Noted. At this point I'm debating whether to pursue this further, or just drop this for now until we can come to a better consensus. Maybe we need a discussion about this at LSF? -- Jeff Layton <jlayton@kernel.org>
On Wed, Jan 21, 2026 at 12:56 PM Jeff Layton <jlayton@kernel.org> wrote: > ... > > But if you really really want to set this new flag on almost every > > export_operations, can I ask that you please set it on EVERY export > > operations, then allow maintainers to remove it as they see fit. > > I think that approach would be much easier to review. > > > > We could probably do that, but I think the main ones that excludes it > are kernfs, pidfs and nsfs. ovl and fuse also have export ops in > certain modes that exclude NFS access, so the flag was left off of > those as well. > For the record, my comments regarding fuse_export_fid_operations and ovl_export_fid_operations variants were purely semantic - it did not make sense to mark them as _STABLE_HANDLE, but it does not matter if you set a flag on those ops, because they do not implement ->fh_to_dentry(), on purpose, they are not exportfs_can_decode_fh() by design. Thanks, Amir.
On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > This sounds like you are recommending that we give in to bullying. I find your suggestion that anything you disagree with is bullying extremely offensive. If you have valid reasons for naming something after the user instead of explaining the semantics, please explain that. If you think NFS actually explains the semantics pretty well, please explain that too, especially in forms that can be put into documentation, including for the user ABI.
On Tue, 20 Jan 2026, Christoph Hellwig wrote: > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > This sounds like you are recommending that we give in to bullying. > > I find your suggestion that anything you disagree with is bullying > extremely offensive. If you have valid reasons for naming something > after the user instead of explaining the semantics, please explain that. I was referring not to your behaviour but to this statement by Christian: So if Christoph insists on the other name then I say let's just go with it. I think that someone "insisting" on something rather than "arguing rationally" for something "sounds like" bullying. Had Christian said something like "Christoph has convinced me of the wisdom of his choice" that would have been very different. I am quite happy to have reasoned discussions with people who disagree with me. I hope to always provide new relevant information, and hope they will too. > > If you think NFS actually explains the semantics pretty well, please > explain that too, especially in forms that can be put into > documentation, including for the user ABI. There are multiple issues here: - filehandle stability. As far as I know all filesystems provide stable filehandles when the "subtree_check" export option is not used. Certainly cgroupfs does. So having an EXPORT_OP_STABLE_HANDLES flag would mean it was set for every filesystem - unless there is something else I'm not aware of. That is certainly possible and I hope someone will let me know if I'm missing something. - filehandle uniqueness. This is somewhat important and if a filesystem doesn't provide it, that should be considered a bug. In a different thread Christian has observed that there would be benefit if pidfs and nsfs provided uniqueness across reboots. It is quite easy for a virtual filesystem to generate a 64 bit random number when the fs is initialised, and include that in file handles. Having a EXPORT_OP_REUSES_HANDLES flag could mark filesystems that are still buggy if that is thought to be useful. - GETATTR always reporting file size of 0. This is the only concrete symptom that Jeff has reported (that I have seen). This makes it impossible to read files over NFS even if they have content. Would EXPORT_OP_INACCURATE_SIZE be useful? - maintainer feature choice. A maintainer may choose not to support export over NFS because they feel that there is no value and the possible support burden would not be worth it. There may be locking / lease / etc issues that further complicate things. So it might be reasonable for a maintainer to choose to forbid NFS export while allowing local fhandle access. EXPORT_OP_NO_NFS_EXPORT. It took me a while to sift through the code/patches/comments and come to this understanding and I apologise if I wasn't as clear earlier. But my intuition was always that file handle stability was never the real issue, and maintainer choice was. Hence my rejection of the "STABLE_HANDLES" name. Thanks, NeilBrown
On Tue, 2026-01-20 at 20:27 +1100, NeilBrown wrote: > On Tue, 20 Jan 2026, Christoph Hellwig wrote: > > On Tue, Jan 20, 2026 at 07:45:35AM +1100, NeilBrown wrote: > > > This sounds like you are recommending that we give in to bullying. > > > > I find your suggestion that anything you disagree with is bullying > > extremely offensive. If you have valid reasons for naming something > > after the user instead of explaining the semantics, please explain that. > > I was referring not to your behaviour but to this statement by Christian: > > So if Christoph insists on the other name then I say let's just go with it. > > I think that someone "insisting" on something rather than "arguing > rationally" for something "sounds like" bullying. Had Christian said > something like "Christoph has convinced me of the wisdom of his choice" > that would have been very different. > > I am quite happy to have reasoned discussions with people who disagree > with me. I hope to always provide new relevant information, and hope > they will too. > > > > > If you think NFS actually explains the semantics pretty well, please > > explain that too, especially in forms that can be put into > > documentation, including for the user ABI. > > There are multiple issues here: > > - filehandle stability. As far as I know all filesystems provide > stable filehandles when the "subtree_check" export option is not used. > Certainly cgroupfs does. So having an EXPORT_OP_STABLE_HANDLES > flag would mean it was set for every filesystem - unless there is > something else I'm not aware of. That is certainly possible and I > hope someone will let me know if I'm missing something. > > - filehandle uniqueness. This is somewhat important and if a > filesystem doesn't provide it, that should be considered a bug. In a > different thread Christian has observed that there would be benefit > if pidfs and nsfs provided uniqueness across reboots. It is quite > easy for a virtual filesystem to generate a 64 bit random number when > the fs is initialised, and include that in file handles. Having a > EXPORT_OP_REUSES_HANDLES flag could mark filesystems that are still > buggy if that is thought to be useful. > I was conflating "uniqueness" with "stability" wrt cgroupfs. cgroupfs does have _stable_ handles, by your definition above. What it does not provide is proper uniqueness since it can end up reusing a filehandle after a reboot. Maybe that is the better thing to flag here. > - GETATTR always reporting file size of 0. This is the only concrete > symptom that Jeff has reported (that I have seen). This makes it > impossible to read files over NFS even if they have content. > Would EXPORT_OP_INACCURATE_SIZE be useful? > Ahh yes, that is probably why I was getting 0 length files when reading. Likely fixable if anyone cares I suppose. > - maintainer feature choice. A maintainer may choose not to support > export over NFS because they feel that there is no value and the > possible support burden would not be worth it. There may be locking > / lease / etc issues that further complicate things. So it might be > reasonable for a maintainer to choose to forbid NFS export while > allowing local fhandle access. EXPORT_OP_NO_NFS_EXPORT. > > It took me a while to sift through the code/patches/comments and come to > this understanding and I apologise if I wasn't as clear earlier. But > my intuition was always that file handle stability was never the real > issue, and maintainer choice was. Hence my rejection of the > "STABLE_HANDLES" name. > Thanks for laying all that out. You're quite right that this covers more than handle stability. At this point, I'm not sure what to do with this set since there are a lot of competing proposals. In the near term, I'm fine with Amir's patch. -- Jeff Layton <jlayton@kernel.org>
On Tue, Jan 20, 2026 at 08:27:46PM +1100, NeilBrown wrote: > > If you think NFS actually explains the semantics pretty well, please > > explain that too, especially in forms that can be put into > > documentation, including for the user ABI. > > There are multiple issues here: > > - filehandle stability. As far as I know all filesystems provide > stable filehandles when the "subtree_check" export option is not used. That is news to me, but certainly interesting. Does this include not reusing the file handle for a new incarnation of the same thing? > Certainly cgroupfs does. So having an EXPORT_OP_STABLE_HANDLES > flag would mean it was set for every filesystem - unless there is > something else I'm not aware of. That is certainly possible and I > hope someone will let me know if I'm missing something. Well, if does not provide stable file handles with the subtree_check export option, or more importantly with the CONNECTABLE flag passed to encode_fh, which is the level we're operating on, it can't set the flag. > - filehandle uniqueness. This is somewhat important and if a > filesystem doesn't provide it, that should be considered a bug. In a > different thread Christian has observed that there would be benefit > if pidfs and nsfs provided uniqueness across reboots. It is quite > easy for a virtual filesystem to generate a 64 bit random number when > the fs is initialised, and include that in file handles. Having a > EXPORT_OP_REUSES_HANDLES flag could mark filesystems that are still > buggy if that is thought to be useful. Yes. > - GETATTR always reporting file size of 0. This is the only concrete > symptom that Jeff has reported (that I have seen). This makes it > impossible to read files over NFS even if they have content. > Would EXPORT_OP_INACCURATE_SIZE be useful? i_size = 0 for a regular file sounds like a genuine bug to me. I'm actually surprised anything works with that. > - maintainer feature choice. A maintainer may choose not to support > export over NFS because they feel that there is no value and the > possible support burden would not be worth it. The maintainer has no way to disallow exporting through nfs. They can at best disallow exporting using the kernel nfs daemon if we provide that facility. But as I've argued multiple times, making arbitrary, selective and very narrow choices about use cases without technical backing for them (which then would be expressable as a flag like those listed by you above) is really bad software development practice, and not something that we usually do in the Linux kernel. > There may be locking > / lease / etc issues that further complicate things. So it might be > reasonable for a maintainer to choose to forbid NFS export while > allowing local fhandle access. EXPORT_OP_NO_NFS_EXPORT. We already have a EXPORT_OP_NOLOCKS flag to deal with this. > > It took me a while to sift through the code/patches/comments and come to > this understanding and I apologise if I wasn't as clear earlier. But > my intuition was always that file handle stability was never the real > issue, and maintainer choice was. Hence my rejection of the > "STABLE_HANDLES" name. Why do you keep ignoring the fat that the stable handles are really important for anyone wanting to actually use them for their original storage purpose, be that for knfsd, a userland nfs damon, or other storage applications in userspace despite explaining this countless times?
On Wed, 21 Jan 2026, Christoph Hellwig wrote: > On Tue, Jan 20, 2026 at 08:27:46PM +1100, NeilBrown wrote: > > > If you think NFS actually explains the semantics pretty well, please > > > explain that too, especially in forms that can be put into > > > documentation, including for the user ABI. > > > > There are multiple issues here: > > > > - filehandle stability. As far as I know all filesystems provide > > stable filehandles when the "subtree_check" export option is not used. > > That is news to me, but certainly interesting. Does this include not > reusing the file handle for a new incarnation of the same thing? "stable" and "reuse" are quite distinct concepts in my mind. "a new incarnation of the same thing" is in my experience a new thing. rmdir foo: mkdir foo on an empty directory will create a new incarnation of the same thing. But it will appear to be different in various ways. Names, not file handles, are generally used for new incarnations of the same thing (again - in my experience). I cannot 100% guarantee that all fs's provide filehandle stability, but I am not aware of any, and none have been presented in this discussion. It is true that the NFSv4 spec claims to allow them but I find the details provided insufficient. They might be able to work reliably if the server provided a delegation, but without it I don't think they can be used reliably. I'm certainly not aware of any attempt to support them in Linux client or server. (I know Trond doesn't like "connectable" file handles). > > > Certainly cgroupfs does. So having an EXPORT_OP_STABLE_HANDLES > > flag would mean it was set for every filesystem - unless there is > > something else I'm not aware of. That is certainly possible and I > > hope someone will let me know if I'm missing something. > > Well, if does not provide stable file handles with the subtree_check > export option, or more importantly with the CONNECTABLE flag passed > to encode_fh, which is the level we're operating on, it can't set the > flag. > Hmmm... I didn't know that open_by_handle_at() supported CONNECTABLE requests. That seems relatively recent. If CONNECTABLE is requested, then only directories get stable filehandles. If CONNECTABLE is not requested, then all filehandles should be stable. > > - filehandle uniqueness. This is somewhat important and if a > > filesystem doesn't provide it, that should be considered a bug. In a > > different thread Christian has observed that there would be benefit > > if pidfs and nsfs provided uniqueness across reboots. It is quite > > easy for a virtual filesystem to generate a 64 bit random number when > > the fs is initialised, and include that in file handles. Having a > > EXPORT_OP_REUSES_HANDLES flag could mark filesystems that are still > > buggy if that is thought to be useful. > > Yes. > > > - GETATTR always reporting file size of 0. This is the only concrete > > symptom that Jeff has reported (that I have seen). This makes it > > impossible to read files over NFS even if they have content. > > Would EXPORT_OP_INACCURATE_SIZE be useful? > > i_size = 0 for a regular file sounds like a genuine bug to me. I'm > actually surprised anything works with that. Files in /proc are all size zero. Files in /sys seem to be all 4096 (or maybe PAGE_SIZE). Files in /sys/kernel/security are all size zero Files in /sys/fs/cgroup are all zero I agree it is weird, but it seems to work ... though I do have a vague memory of something not working because it used a library function to read a file, and it needed to be fixed. No details come to mind except that it was probably md related. As some of these virtual files can be different every time they are read, there is TOCTOU issue with trying to make the i_size accurately reflect the result of a subsequent read. I think the cost of setting an accurate i_size even when it is possible is not seen as worth while. > > > - maintainer feature choice. A maintainer may choose not to support > > export over NFS because they feel that there is no value and the > > possible support burden would not be worth it. > > The maintainer has no way to disallow exporting through nfs. They can > at best disallow exporting using the kernel nfs daemon if we provide > that facility. But as I've argued multiple times, making arbitrary, > selective and very narrow choices about use cases without technical > backing for them (which then would be expressable as a flag like those > listed by you above) is really bad software development practice, and > not something that we usually do in the Linux kernel. True: once you make files available to people you cannot control what people will do with them. So maybe you are saying "what is so special about knfsd that it gets information that no-one else can get". I cannot argue against that. > > > There may be locking > > / lease / etc issues that further complicate things. So it might be > > reasonable for a maintainer to choose to forbid NFS export while > > allowing local fhandle access. EXPORT_OP_NO_NFS_EXPORT. > > We already have a EXPORT_OP_NOLOCKS flag to deal with this. > > > > > It took me a while to sift through the code/patches/comments and come to > > this understanding and I apologise if I wasn't as clear earlier. But > > my intuition was always that file handle stability was never the real > > issue, and maintainer choice was. Hence my rejection of the > > "STABLE_HANDLES" name. > > Why do you keep ignoring the fat that the stable handles are really > important for anyone wanting to actually use them for their original > storage purpose, be that for knfsd, a userland nfs damon, or other > storage applications in userspace despite explaining this countless > times? > It isn't that I don't think they are important. It is that I think they are universally provided (when not connectable). If we add an EXPORT_OP_STABLE_FILEHANDLES flag, I believe we would need to set it on every export_operations structure. So what would be the point? Thanks, NeilBrown
On Wed, 2026-01-21 at 21:34 +1100, NeilBrown wrote: > On Wed, 21 Jan 2026, Christoph Hellwig wrote: > > > > > > > > > It took me a while to sift through the code/patches/comments and come to > > > this understanding and I apologise if I wasn't as clear earlier. But > > > my intuition was always that file handle stability was never the real > > > issue, and maintainer choice was. Hence my rejection of the > > > "STABLE_HANDLES" name. > > > > Why do you keep ignoring the fat that the stable handles are really > > important for anyone wanting to actually use them for their original > > storage purpose, be that for knfsd, a userland nfs damon, or other > > storage applications in userspace despite explaining this countless > > times? > > > > It isn't that I don't think they are important. It is that I think they > are universally provided (when not connectable). > If we add an EXPORT_OP_STABLE_FILEHANDLES flag, I believe we would need to > set it on every export_operations structure. So what would be the > point? > I see your point. Using your definitions, stability is not a problem for Linux filesystems. The filehandles generally don't change after they have been established. Uniqueness however _is_ a problem as we can end up with valid handles for files that have been recreated across a reboot with some filesystems (esp. "synthetic" ones like cgroupfs, pidfs, etc.). Naming the flag STABLE conflates the two. In an earlier email, HCH said: > We'll still need a stable handles flag, and expose it to userspace > to avoid applications being tricked into using broken non-stable > file handles. We should have caught that when they were added, but > didn't unfortunately. > If we assume he meant "unique handles" flag, then I think we're all mostly in agreement here. As far as this patchset goes: what if we were to just rename EXPORT_OP_STABLE_HANDLES to EXPORT_OP_UNIQUE_HANDLES (and clean up the documentation), since that's the main issue for existing filesystems. It would be fairly simple to advertise handle uniqueness using statx or something. Alternately, instead of denying access to these filesystems, we could just fix these filesystems to create unique handles (a'la random i_generation value or something similar). That should mostly prevent filehandles from being reusable across a reboot on these filesystems. That would leave cgroupfs and the like exportable via nfsd, but as you point out, we can't deny export by userland servers. If people want to do this kind of crazy stuff, maybe we shouldn't deny them after all. -- Jeff Layton <jlayton@kernel.org>
On Wed, Jan 21, 2026 at 09:27:38AM -0500, Jeff Layton wrote: > Using your definitions, stability is not a problem for Linux > filesystems. The filehandles generally don't change after they have > been established. fat seems to be an exception as far as the 'real' file systems go. And it did sound to me like some of the synthetic ones had similar issues. > > We'll still need a stable handles flag, and expose it to userspace > > to avoid applications being tricked into using broken non-stable > > file handles. We should have caught that when they were added, but > > didn't unfortunately. > > > > If we assume he meant "unique handles" flag, then I think we're all > mostly in agreement here. As far as this patchset goes: what if we > were to just rename EXPORT_OP_STABLE_HANDLES to > EXPORT_OP_UNIQUE_HANDLES (and clean up the documentation), since that's > the main issue for existing filesystems. It would be fairly simple to > advertise handle uniqueness using statx or something. Unique seems to also only capture part of it, but I could absolutely live with it, if the documentation includes all aspecs. But maybe use persistent as in the nfs spec? > > Alternately, instead of denying access to these filesystems, we could > just fix these filesystems to create unique handles (a'la random > i_generation value or something similar). That should mostly prevent > filehandles from being reusable across a reboot on these filesystems. Do we even want to provide access to them? > That would leave cgroupfs and the like exportable via nfsd, but as you > point out, we can't deny export by userland servers. If people want to > do this kind of crazy stuff, maybe we shouldn't deny them after all. I think Amirs patch would take care of that. Although userland nfs servers or other storage applications using the handle syscalls would still see them. Then again fixing the problem that some handles did not fulfill the long standing (but not documented well enough) semantics probably is a good fix on it's own.
On Wed, 2026-01-21 at 06:47 -0800, Christoph Hellwig wrote:
> On Wed, Jan 21, 2026 at 09:27:38AM -0500, Jeff Layton wrote:
> > Using your definitions, stability is not a problem for Linux
> > filesystems. The filehandles generally don't change after they have
> > been established.
>
> fat seems to be an exception as far as the 'real' file systems go.
> And it did sound to me like some of the synthetic ones had similar
> issues.
>
Not sure what we can do about FAT without changing the filehandle
format in some fashion. The export ops just use
generic_encode_ino32_fh, and FAT doesn't have stable inode numbers.
The "nostale" ops seem sane enough but it looks like they only work
with the fs in r/o mode.
...and therein lies a problem. We can't reasonably stop exporting FAT
(even with all of its issues), and it in no way meets the definition of
persistent or unique handles.
> > > We'll still need a stable handles flag, and expose it to userspace
> > > to avoid applications being tricked into using broken non-stable
> > > file handles. We should have caught that when they were added, but
> > > didn't unfortunately.
> > >
> >
> > If we assume he meant "unique handles" flag, then I think we're all
> > mostly in agreement here. As far as this patchset goes: what if we
> > were to just rename EXPORT_OP_STABLE_HANDLES to
> > EXPORT_OP_UNIQUE_HANDLES (and clean up the documentation), since that's
> > the main issue for existing filesystems. It would be fairly simple to
> > advertise handle uniqueness using statx or something.
>
> Unique seems to also only capture part of it, but I could absolutely
> live with it, if the documentation includes all aspecs. But maybe
> use persistent as in the nfs spec?
The spec also has the concept of uniqueness. There is an attribute for
that:
5.8.1.10. Attribute 9: unique_handles
TRUE, if two distinct filehandles are guaranteed to refer to two different file system objects.
So, the NFSv4 spec does allow for non-unique handles (oh, the
humanity). Persistence has more to do with being non-volatile, AFAICT:
FH4_PERSISTENT
The value of FH4_PERSISTENT is used to indicate a persistent
filehandle, which is valid until the object is removed from the file
system. The server will not return NFS4ERR_FHEXPIRED for this
filehandle. FH4_PERSISTENT is defined as a value in which none of the
bits specified below are set.
In this case, the filesystems we're most concerned about do not provide
uniqueness, but do provide persistence.
> >
> > Alternately, instead of denying access to these filesystems, we could
> > just fix these filesystems to create unique handles (a'la random
> > i_generation value or something similar). That should mostly prevent
> > filehandles from being reusable across a reboot on these filesystems.
>
> Do we even want to provide access to them?
>
The point would be that there would be no need to flag them, since all
filehandles would then meet the technical definition of unique and
persistent (modulo FAT of course).
> > That would leave cgroupfs and the like exportable via nfsd, but as you
> > point out, we can't deny export by userland servers. If people want to
> > do this kind of crazy stuff, maybe we shouldn't deny them after all.
>
> I think Amirs patch would take care of that. Although userland nfs
> servers or other storage applications using the handle syscalls would
> still see them. Then again fixing the problem that some handles
> did not fulfill the long standing (but not documented well enough)
> semantics probably is a good fix on it's own.
Agreed. We should try to ensure uniqueness and persistence in all
filehandles both for nfsd and userland applications.
--
Jeff Layton <jlayton@kernel.org>
On Wed, Jan 21, 2026 at 10:18:00AM -0500, Jeff Layton wrote: > > fat seems to be an exception as far as the 'real' file systems go. > > And it did sound to me like some of the synthetic ones had similar > > issues. > > > > Not sure what we can do about FAT without changing the filehandle > format in some fashion. The export ops just use > generic_encode_ino32_fh, and FAT doesn't have stable inode numbers. > The "nostale" ops seem sane enough but it looks like they only work > with the fs in r/o mode. Yeah. I guess we need to ignore this because of <history> > > I think Amirs patch would take care of that. Although userland nfs > > servers or other storage applications using the handle syscalls would > > still see them. Then again fixing the problem that some handles > > did not fulfill the long standing (but not documented well enough) > > semantics probably is a good fix on it's own. > > Agreed. We should try to ensure uniqueness and persistence in all > filehandles both for nfsd and userland applications. Sounds good to me.
On Wed, 2026-01-21 at 22:37 -0800, Christoph Hellwig wrote: > On Wed, Jan 21, 2026 at 10:18:00AM -0500, Jeff Layton wrote: > > > fat seems to be an exception as far as the 'real' file systems go. > > > And it did sound to me like some of the synthetic ones had similar > > > issues. > > > > > > > Not sure what we can do about FAT without changing the filehandle > > format in some fashion. The export ops just use > > generic_encode_ino32_fh, and FAT doesn't have stable inode numbers. > > The "nostale" ops seem sane enough but it looks like they only work > > with the fs in r/o mode. > > Yeah. I guess we need to ignore this because of <history> > Yep. This is a case where the handles are not PERSISTENT but I don't think we can get away with making FAT unexportable. We're probably stuck with it. > > > I think Amirs patch would take care of that. Although userland nfs > > > servers or other storage applications using the handle syscalls would > > > still see them. Then again fixing the problem that some handles > > > did not fulfill the long standing (but not documented well enough) > > > semantics probably is a good fix on it's own. > > > > Agreed. We should try to ensure uniqueness and persistence in all > > filehandles both for nfsd and userland applications. > > Sounds good to me. Unfortunately, there are already exceptions. Apparently pidfs and cgroupfs handles (at least) can't be extended because of userspace expectations: https://lore.kernel.org/linux-nfs/20260120-irrelevant-zeilen-b3c40a8e6c30@brauner/ My personal take is that we should try to make handle uniqueness a goal for most existing filesystems, but we're going to have some that can't achieve that. For them we probably want to be able to flag them so they can be id'ed by userland. So, we will need an export_operations flag of some sort (EXPORT_OP_UNIQUE_HANDLES?). At that point, we'll have to decide whether to deny nfsd export based on that flag: We could deny export of any fs that doesn't set the flag, but NFSv4 actually allows the server to advertise that it can't guarantee handle uniqueness. There isn't much guidance for the client on how to handle that though and the attribute seems to have the scope of the entire NFS server. -- Jeff Layton <jlayton@kernel.org>
On Thu, Jan 22, 2026 at 07:12:36AM -0500, Jeff Layton wrote: > On Wed, 2026-01-21 at 22:37 -0800, Christoph Hellwig wrote: > > On Wed, Jan 21, 2026 at 10:18:00AM -0500, Jeff Layton wrote: > > > > fat seems to be an exception as far as the 'real' file systems go. > > > > And it did sound to me like some of the synthetic ones had similar > > > > issues. > > > > > > > > > > Not sure what we can do about FAT without changing the filehandle > > > format in some fashion. The export ops just use > > > generic_encode_ino32_fh, and FAT doesn't have stable inode numbers. > > > The "nostale" ops seem sane enough but it looks like they only work > > > with the fs in r/o mode. > > > > Yeah. I guess we need to ignore this because of <history> > > > > Yep. This is a case where the handles are not PERSISTENT but I don't > think we can get away with making FAT unexportable. We're probably > stuck with it. > > > > > I think Amirs patch would take care of that. Although userland nfs > > > > servers or other storage applications using the handle syscalls would > > > > still see them. Then again fixing the problem that some handles > > > > did not fulfill the long standing (but not documented well enough) > > > > semantics probably is a good fix on it's own. > > > > > > Agreed. We should try to ensure uniqueness and persistence in all > > > filehandles both for nfsd and userland applications. > > > > Sounds good to me. > > > Unfortunately, there are already exceptions. Apparently pidfs and > cgroupfs handles (at least) can't be extended because of userspace > expectations: > > https://lore.kernel.org/linux-nfs/20260120-irrelevant-zeilen-b3c40a8e6c30@brauner/ systemd cracking file handles?? Yeesh, I thought userspace was supposed to treat a file handle as an opaque N-byte blob and nothing more, and only certain "special" tools (e.g. xfsprogs on XFS) could do more than that. --D > My personal take is that we should try to make handle uniqueness a goal > for most existing filesystems, but we're going to have some that can't > achieve that. For them we probably want to be able to flag them so they > can be id'ed by userland. > > So, we will need an export_operations flag of some sort > (EXPORT_OP_UNIQUE_HANDLES?). At that point, we'll have to decide > whether to deny nfsd export based on that flag: > > We could deny export of any fs that doesn't set the flag, but NFSv4 > actually allows the server to advertise that it can't guarantee handle > uniqueness. There isn't much guidance for the client on how to handle > that though and the attribute seems to have the scope of the entire NFS > server. > > -- > Jeff Layton <jlayton@kernel.org> >
> It took me a while to sift through the code/patches/comments and come to > this understanding and I apologise if I wasn't as clear earlier. But > my intuition was always that file handle stability was never the real > issue, and maintainer choice was. Hence my rejection of the I very much agree with that assessment. Yet we so far have failed to even agree that this is an acceptable position. Hence my irritation. And apologies on my part if I'm curt. I'm simply annoyed by the very lengthy and to me somewhat pointless debate here at times.
On Mon, Jan 19, 2026 at 06:22:42PM +1100, NeilBrown wrote: > We are calling it for it's only use. If there was ever another use, we > could change the name if that made sense. It is not a public name, it > is easy to change. No, it is not the only use. This flag needs to be propagate to userspace through statx or the file attrs. As I said before there is plenty of code in userspace that does rely on the traditional file handle semantics. > > Remember nfs also support volatile file handles, and other applications > > might rely on this (I know of quite a few user space applications that > > do, but they are kinda hardwired to xfs anyway). > > The NFS protocol supports volatile file handles. knfsd does not. > So maybe > EXPORT_OP_NOT_NFSD_COMPATIBLE > might be better. or EXPORT_OP_NOT_LINUX_NFSD_COMPATIBLE. > (I prefer opt-out rather than opt-in because nfsd export was the > original purpose of export_operations, but it isn't something > I would fight for) Again, stop trying to name things of the initial user. Flag needs to describe smenatics, not users.
© 2016 - 2026 Red Hat, Inc.