On Wed, Sep 02, 2020 at 11:52:41AM +0800, Shengjing Zhu wrote: > On Sat, Aug 29, 2020 at 10:13 PM Shengjing Zhu <z...@debian.org> wrote: > > > > Source: linux > > Version: 5.7.10-1 > > Severity: normal > > > > Hi, > > > > After enabling overlayfs for userns, I find it doesn't work as expected. > > > > $ cat /sys/module/overlay/parameters/permit_mounts_in_userns > > Y > > > > zsj@debian:~/test$ pwd > > /home/zsj/test > > zsj@debian:~/test$ tree > > . > > ├── lower > > │ └── a > > │ └── a > > ├── merged > > ├── upper > > └── work > > > > zsj@debian:~/test$ unshare -m -U -r > > root@debian:~/test# mount -t overlay -o > > rw,lowerdir=/home/zsj/test/lower,upperdir=/home/zsj/test/upper,workdir=/home/zsj/test/work > > overlay /home/zsj/test/merged > > root@debian:~/test# rm -rf merged/a > > rm: cannot remove 'merged/a': Input/output error > >
Hi, overlayfs uses filesystem xattrs to mark "whiteouts" and redirects of directories, which are only accessable for root (CAP_SYS_ADMIN), thus, not when overlay is mounted in a user namespace, cp. e.g. [1,2]. Ubuntu kernel "solves" this by skipping the "trusted."-xattr check, thus allowing setting and removal of 'trusted.overlay.*' xattrs from within user namespaces; but those are still visible in all other namespaces. A following overlayfs mount done by the real root user will use these modified xattrs. To me it would seem to be more adequate if overlayfs would use 'overlay.*' instead of 'trusted.overlay.*', if it is mounted in an unpriviledged user namespace. But this would make overlay mounts done by root incompatible with those done in a user namespace. Maybe you find #836211 to be related to this. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/xattr.c?h=linux-5.7.y#n113 [2]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/xattr.c?h=linux-5.7.y#n1049 [3]: https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal.git/commit/?id=111cd1a9840ce187e28b49fe4e77b9b5e84386b1 > If I upgrade a debian10 VM to testing, it seems to work. > However if I boot a new debian testing VM, it seems not to work. > Both VMs are downloaded from http://cdimage.debian.org/cdimage/cloud/ > What can be the difference here? I'm lost on debugging this.. This confuses me. Are you sure, you used the same kernel version on both VMs when mounting overlayfs in userns? Kind regards, Nicolas -- epost: nico...@fjasle.eu irc://oftc.net/nsc ↳ gpg: 18ed 52db e34f 860e e9fb c82b 7d97 0932 55a0 ce7f -- frykten for herren er opphav til kunnskap --
