Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XFS Quota Enforcement Issue: Only Applied at Volume Root, Not Inside _data for Second and Subsequent Podman Volumes #25368

Open
ak89224 opened this issue Feb 19, 2025 · 20 comments · May be fixed by containers/storage#2264
Open

XFS Quota Enforcement Issue: Only Applied at Volume Root, Not Inside _data for Second and Subsequent Podman Volumes #25368

ak89224 opened this issue Feb 19, 2025 · 20 comments · May be fixed by containers/storage#2264
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@ak89224
Copy link

ak89224 commented Feb 19, 2025
edited
Loading

Issue Description

When using the local volume driver with the --opt o=size=10M option on an XFS-backed storage (with project quotas enabled), Podman correctly creates the volume and assigns an XFS project quota. However, during container startup, Podman erroneously passes the “size” option as a mount parameter to the XFS mount command. Since XFS does not recognize a “size” mount option, the container fails to start with an error:

mount: /mnt/data/containers/storage/volumes/testVolume/_data: fsconfig system call failed: xfs: Unknown parameter 'size'

Steps to reproduce the issue

  1. Prepare an XFS Partition with Project Quotas:
    • Format the device (e.g., /dev/sdb1) as XFS and mount it at /mnt/data with prjquota enabled.
    • /etc/fstab entry: 
      /dev/sdb1 /mnt/data/  xfs defaults,x-systemd.device-timeout=0,pquota 1 2
    • Mount the partition using: 
      mount -a
  2. Configure Podman to Use the XFS Partition:
    • Edit /etc/containers/storage.conf to set graphroot: 
      [storage]
driver = "overlay"
graphroot = "/mnt/data/containers/storage"
    • Restart Podman if necessary.
  3. Create a Volume with a Size Option:
    • Create a volume with: 
      podman volume create --driver local --opt o=size=10M testVolume
    • Verify via: 
      xfs_quota -x -c "report -p" /mnt/data
      that a project quota is set (e.g., a hard limit of ~10MB).
  4. Attempt to Run a Container Using the Volume:
    • Start a container with: 
      podman run --rm -v testVolume:/data busybox sh -c "dd if=/dev/zero of=/data/testfile bs=1M count=15"
    • The container fails with an error: 
      mount: /mnt/data/containers/storage/volumes/testVolume/_data: fsconfig system call failed: xfs: Unknown parameter 'size'

Describe the results you received

Actual Behavior:

  • When a volume is created with --opt o=size=10M, Podman sets the project quota as expected.
  • However, at container startup, Podman issues a mount command that includes -o size=10M, which is rejected by the XFS mount system call, causing the container to fail to start.

Debug Logs and Analysis:

  • Debug Log Snippet: podman volume create --opt device=/dev/sdb1 --opt type=xfs --opt o=size=10M testvol4
[root@fedora abhi]# podman --log-level=debug volume create --opt device=/dev/sdb1 --opt type=xfs -o=o=size=10M testvol4
INFO[0000] podman filtering at log level debug
DEBU[0000] Called create.PersistentPreRunE(podman --log-level=debug volume create --opt device=/dev/sdb1 --opt type=xfs -o=o=size=10M testvol4)
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /mnt/data/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /mnt/data/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /mnt/data/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: imagestore=/usr/lib/containers/storage
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] NewControl(/mnt/data/containers/storage/overlay): nextProjectID = 100001
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=true, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 13
DEBU[0000] Validating options for local driver
DEBU[0000] NewControl(/mnt/data/containers/storage/volumes): nextProjectID = 200003
DEBU[0000] Setting quota project ID 200003 on /mnt/data/containers/storage/volumes/testvol4
DEBU[0000] SetQuota path=/mnt/data/containers/storage/volumes/testvol4, size=10000000, inodes=0, projectID=200003
testvol4
DEBU[0000] Called create.PersistentPostRunE(podman --log-level=debug volume create --opt device=/dev/sdb1 --opt type=xfs -o=o=size=10M testvol4)
DEBU[0000] Shutting down engines
INFO[0000] Received shutdown.Stop(), terminating!        PID=87400
  • Volume Inspect:
[root@fedora abhi]# podman volume inspect testvol4
[
     {
          "Name": "testvol4",
          "Driver": "local",
          "Mountpoint": "/mnt/data/containers/storage/volumes/testvol4/_data",
          "CreatedAt": "2025-02-20T01:26:43.831051058+05:30",
          "Labels": {},
          "Scope": "local",
          "Options": {
               "SIZE": "10M",
               "device": "/dev/sdb1",
               "o": "size=10M",
               "type": "xfs"
          },
          "MountCount": 0,
          "NeedsCopyUp": true,
          "NeedsChown": true,
          "LockNumber": 3
     }
]
  • Debug Log Snippet: podman run
  DEBU[0000] Running mount command: /usr/bin/mount -o size=10M -t xfs /dev/sdb1 /mnt/data/containers/storage/volumes/testvol4/_data
  DEBU[0000] Mount command failed with exit status 32
...
...
...
DEBU[0000] ExitCode msg: "mounting volume testvol4 for container a44a8a561b8148341e6db6aef76f1a25ffcbb620ba7d628138ad6efb1e155f58: mount: /mnt/data/containers/storage/volumes/testvol4/_data: fsconfig system call failed: xfs: unknown parameter 'size'.\n       dmesg(1) may have more information after failed mount system call.\n"
Error: mounting volume testvol4 for container a44a8a561b8148341e6db6aef76f1a25ffcbb620ba7d628138ad6efb1e155f58: mount: /mnt/data/containers/storage/volumes/testvol4/_data: fsconfig system call failed: xfs: Unknown parameter 'size'.
       dmesg(1) may have more information after failed mount system call.
  • Analysis:
    • Although Podman’s volume creation process correctly sets up XFS project quotas (as confirmed by xfs_quota), it later passes the “size=10M” mount option when mounting the volume inside the container.
    • XFS does not recognize any mount option named “size”; project quotas are managed via the quota system, not as a mount parameter.
    • As a workaround, if the volume is created without the --opt o=size=10M option, Podman mounts the volume successfully, and quotas can be manually enforced using XFS tools.

Describe the results you expected

Expected Behavior:

  • Podman should use the --opt o=size=10M parameter to set the XFS project quota on the volume (which it does) but should not pass a “size=10M” option to the mount system call when starting a container.
  • The container should mount the volume normally, and the XFS quota should limit writes to ~10MB without causing a mount error.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 97.8
    systemPercent: 1.88
    userPercent: 0.32
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 2044
  hostname: fedora
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.12.11-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 8684425216
  memTotal: 16758345728
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250121.g4f2c8e7-2.fc41.x86_64
    version: |
      pasta 0^20250121.g4f2c8e7-2.fc41.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 60h 45m 7.00s (Approximately 2.50 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /mnt/data/containers/storage
  graphRootAllocated: 21406679040
  graphRootUsed: 464166912
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /mnt/data/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737504000
  BuiltTime: Wed Jan 22 05:30:00 2025
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

Environment:

  • Podman Version: 5.3.2
  • Operating System: Fedora 41
  • Filesystem: XFS with project quotas enabled (mounted with prjquota)
  • Podman Storage Configuration:
    • graphroot = "/mnt/data/containers/storage"

Additional information

Impact:

  • This issue prevents the use of the `--opt o=size=10M feature for local volumes on XFS-backed storage in Podman, limiting the ability to enforce per-volume storage limits automatically.
  • The only workaround is to create the volume without the size option and manually apply XFS quotas after volume creation, which is not ideal for automated or production environments.

Additional Information:

  • The issue appears to be isolated to the way Podman translates the --opt o=size=10M option into mount options for XFS.
  • Similar behavior is observed even though the XFS project quotas are properly applied at volume creation.
  • Debug logs indicate that the unsupported mount option “size=10M” is passed during the container’s volume mount process.
@ak89224 ak89224 added the kind/bug Categorizes issue or PR as related to a bug. label Feb 19, 2025
@ak89224
Copy link
Author

ak89224 commented Feb 19, 2025
edited
Loading

FYI,
@mheon , @rhatdan

@mheon
Copy link
Member

mheon commented Feb 19, 2025

It's not podman volume create --opt size= but podman volume create --opt o=size= - this is documented in the manpage.

Still, I find it very curious that size= is not being rejected outright - per the manpage it's not valid syntax and we should be rejecting it. So that's still a bug.

@mheon
Copy link
Member

mheon commented Feb 19, 2025

Alternatively we could just add more native support for size= to do the same thing as o=size= - but we'd have to handle both being set at the same time which would be awkward.

@ak89224
Copy link
Author

ak89224 commented Feb 19, 2025

It's not podman volume create --opt size= but podman volume create --opt o=size= - this is documented in the manpage.

Still, I find it very curious that size= is not being rejected outright - per the manpage it's not valid syntax and we should be rejecting it. So that's still a bug.

It's not --opt size if you see the logs I tried with both -o=o=size=10M & --opt o=size=10M although both are same but still.

I made a typo in the theory part. Will omit it.

@ak89224 ak89224 changed the title Using --opt size on Podman Local Volumes Passes Unsupported 'size' Mount Option on XFS Using --opt o=size=10M on Podman Local Volumes Passes Unsupported 'size' Mount Option on XFS Feb 19, 2025
@ak89224
Copy link
Author

ak89224 commented Feb 19, 2025

It's not podman volume create --opt size= but podman volume create --opt o=size= - this is documented in the manpage.

Still, I find it very curious that size= is not being rejected outright - per the manpage it's not valid syntax and we should be rejecting it. So that's still a bug.

And yes I can confirm that for this syntax --opt size= it doesn't rejects. It just creates a volume without any quota.

@Luap99
Copy link
Member

Luap99 commented Feb 20, 2025

Your reproducer says

podman volume create --driver local --opt o=size=10M testVolume

But you logs shows

podman --log-level=debug volume create --opt device=/dev/sdb1 --opt type=xfs -o=o=size=10M testvol4

These are two different things, the first creates a normal bind mount and tries to enable quotas, the second however mounts a new filesystem (xfs) and all the o= blah options are passed as mount options as documented.

So I would say it is very much expected that the second command does not work. The first however should work per docs.

@ak89224
Copy link
Author

ak89224 commented Feb 20, 2025

Your reproducer says

podman volume create --driver local --opt o=size=10M testVolume

But you logs shows

podman --log-level=debug volume create --opt device=/dev/sdb1 --opt type=xfs -o=o=size=10M testvol4

These are two different things, the first creates a normal bind mount and tries to enable quotas, the second however mounts a new filesystem (xfs) and all the o= blah options are passed as mount options as documented.

So I would say it is very much expected that the second command does not work. The first however should work per docs.

Thanks, @Luap99

With the 1st option where it's creating a normal bind it doesn't pass the mount options forward.

But with this I ran into another issue, that the volume quota option (--opt o=size=... when creating volumes with the local driver and XFS filesystem) is not being enforced when writing to the volume from within a running container.

Steps to reproduce:

  1. Create Podman volume with quota: podman --log-level=debug volume create --driver local --opt o=size=10M testVol8
  2. Run container mounting the volume and write more than quota:
[root@fedora testVol8]# podman run --rm -v testVol8:/data busybox sh -c "dd if=/dev/zero of=/data/testfile bs=1M count=15"
15+0 records in
15+0 records out
15728640 bytes (15.0MB) copied, 0.191835 seconds, 78.2MB/s
[root@fedora testVol8]#
  1. The dd command completes successfully, writing more than the 10MB quota to the volume.
  2. The Project quota says it's unused. #200008 0 9768 9768 00 [--------]
[root@fedora abhi]# xfs_quota -x -c "report -p" /mnt/data
Project quota on /mnt/data (/dev/sdb1)
                               Blocks
Project ID       Used       Soft       Hard    Warn/Grace
---------- --------------------------------------------------
#0              65876          0          0     00 [--------]
storage             4          0          0     00 [--------]
volumes             0       9768       9768     00 [--------]
#200001             0       9768       9768     00 [--------]
#200002             0       9768       9768     00 [--------]
#200003             0       9768       9768     00 [--------]
#200004             0       9768       9768     00 [--------]
#200005             0       9768       9768     00 [--------]
#200006             0       9768       9768     00 [--------]
#200007             0       9768       9768     00 [--------]
#200008             0       9768       9768     00 [--------]
  1. Direct host write test to see if quotas are set or not:
[root@fedora abhi]# cd /mnt/data/containers/storage/volumes/testVol8
[root@fedora testVol8]#
[root@fedora testVol8]#
[root@fedora testVol8]#
[root@fedora testVol8]# ll
total 0
drwxr-xr-x. 2 root root 22 Feb 21 00:37 _data
[root@fedora testVol8]# dd if=/dev/zero of=testfile_host bs=1M count=11
dd: error writing 'testfile_host': No space left on device
10+0 records in
9+0 records out
9895936 bytes (9.9 MB, 9.4 MiB) copied, 0.158613 s, 62.4 MB/s
  1. Writing to the volume directory directly on the host (as root) does trigger the XFS project quota, and writes fail after the limit is reached.
[root@fedora testVol8]# xfs_quota -x -c "report -p" /mnt/data
Project quota on /mnt/data (/dev/sdb1)
                               Blocks
Project ID       Used       Soft       Hard    Warn/Grace
---------- --------------------------------------------------
#0              65876          0          0     00 [--------]
storage             4          0          0     00 [--------]
volumes             0       9768       9768     00 [--------]
#200001             0       9768       9768     00 [--------]
#200002             0       9768       9768     00 [--------]
#200003             0       9768       9768     00 [--------]
#200004             0       9768       9768     00 [--------]
#200005             0       9768       9768     00 [--------]
#200006             0       9768       9768     00 [--------]
#200007             0       9768       9768     00 [--------]
#200008          9664       9768       9768     00 [--------]
  1. This point out that Podman sets the quota during volume creation but does not seem to enforce it in the container runtime
  2. Then something very interesting, I'm able to write inside the _data directory of the Podman volume, even after the quota should have been exceeded based on our previous understanding. This is unexpected.
[root@fedora testVol8]# dd if=/dev/zero of=_data/testfile_host bs=1M count=11
11+0 records in
11+0 records out
11534336 bytes (12 MB, 11 MiB) copied, 0.0782921 s, 147 MB/s
[root@fedora testVol8]# xfs_quota -x -c "report -p" /mnt/data
Project quota on /mnt/data (/dev/sdb1)
                               Blocks
Project ID       Used       Soft       Hard    Warn/Grace
---------- --------------------------------------------------
#0              77140          0          0     00 [--------]
storage             4          0          0     00 [--------]
volumes             0       9768       9768     00 [--------]
#200001             0       9768       9768     00 [--------]
#200002             0       9768       9768     00 [--------]
#200003             0       9768       9768     00 [--------]
#200004             0       9768       9768     00 [--------]
#200005             0       9768       9768     00 [--------]
#200006             0       9768       9768     00 [--------]
#200007             0       9768       9768     00 [--------]
#200008          9664       9768       9768     00 [--------]
  1. Looked libpod src and found that
    When Podman creates a local volume (driver local), it typically creates a directory structure like this within the volume path (/mnt/data/containers/storage/volumes in this case):
/mnt/data/containers/storage/volumes/
└── testVol8/
    └── _data/
  • testVol8: This is the volume name directory. This is what gets the project quota applied to it based on the podman volume create logs.
DEBU[0000] Validating options for local driver
DEBU[0000] NewControl(/mnt/data/containers/storage/volumes): nextProjectID = 200008
DEBU[0000] Setting quota project ID 200008 on /mnt/data/containers/storage/volumes/testVol8
DEBU[0000] SetQuota path=/mnt/data/containers/storage/volumes/testVol8, size=10000000, inodes=0, projectID=200008
testVol8
DEBU[0000] Called create.PersistentPostRunE(podman --log-level=debug volume create --driver local --opt o=size=10M testVol8)
DEBU[0000] Shutting down engines
INFO[0000] Received shutdown.Stop(), terminating!        PID=142619
  • _data: This is a subdirectory inside the testVol8 directory. This is where the actual volume data is stored.

My Hypothesis:

  1. The XFS project quota is being applied by Podman to the volume's top-level directory (/mnt/data/containers/storage/volumes/testVol8), but the actual volume data is stored within the _data subdirectory (/mnt/data/containers/storage/volumes/testVol8/_data).
  2. Because the quota is not applied to the _data subdirectory or recursively enforced within testVol8, writing to _data bypasses the quota enforcement.

@Luap99 , @mheon
Most probable root cause for this is related to the fix in this PR Set quota on volume root directory, not _data is conflicting with this containers quota management driver commits which guarantees that only children files inherit the ID not subdirectories // stripProjectInherit strips the project inherit flag from a directory.

@mheon
Copy link
Member

mheon commented Feb 20, 2025

stripProjectInherit is only used for the top-level directory. The _data directories are not stripped of the inherit flag.

@ak89224
Copy link
Author

ak89224 commented Feb 21, 2025
edited
Loading

stripProjectInherit is only used for the top-level directory. The _data directories are not stripped of the inherit flag.

Ahh...I see. Yes, but still this behavior is unexpected !

Also direct write on the host confirms that at filesystem level xfs quotas are only enforced on volume name directory not on its children subdirectories (_data)

@mheon @Luap99
Could you please have a look on the logs and point what could have possibly gone wrong here during container creation ? I'm putting the snippets of logs during container run.

-------------- Logs Below (Concerned parts are marked with **) ------------

[root@fedora abhi]# podman --log-level=debug run --rm -v testVol8:/data busybox sh -c "dd if=/dev/zero of=/data/testfile bs=1M count=15"
INFO[0000] podman filtering at log level debug
**DEBU[0000] Called run.PersistentPreRunE(podman --log-level=debug run --rm -v testVol8:/data busybox sh -c dd if=/dev/zero of=/data/testfile bs=1M count=15)**
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
**DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /mnt/data/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /mnt/data/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /mnt/data/containers/storage/volumes**
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: imagestore=/usr/lib/containers/storage
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
**DEBU[0000] NewControl(/mnt/data/containers/storage/overlay): nextProjectID = 100001
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=true, useNativeDiff=false, usingMetacopy=true**
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 13
DEBU[0000] Pulling image busybox (policy: missing)
DEBU[0000] Looking up image "busybox" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] }
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000] Trying "docker.io/library/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66)
DEBU[0000] exporting opaque data as blob "sha256:af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Looking up image "docker.io/library/busybox:latest" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] }
DEBU[0000] Trying "docker.io/library/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Found image "docker.io/library/busybox:latest" as "docker.io/library/busybox:latest" in local containers storage
**DEBU[0000] Found image "docker.io/library/busybox:latest" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66)
DEBU[0000] exporting opaque data as blob "sha256:af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] User mount testVol8:/data options []**
DEBU[0000] Looking up image "busybox" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] }
DEBU[0000] Trying "docker.io/library/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/mnt/data/containers/storage+/run/containers/storage:overlay.imagestore=/usr/lib/containers/storage,overlay.mountopt=nodev,metacopy=on]@af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66)
DEBU[0000] exporting opaque data as blob "sha256:af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Inspecting image af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66
DEBU[0000] exporting opaque data as blob "sha256:af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
DEBU[0000] Inspecting image af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66
DEBU[0000] Inspecting image af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66
DEBU[0000] Inspecting image af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66
DEBU[0000] using systemd mode: false
DEBU[0000] No hostname set; container's hostname will default to runtime default
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] Successfully loaded 1 networks
DEBU[0000] Allocated lock 8 for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0000] exporting opaque data as blob "sha256:af47096251092caf59498806ab8d58e8173ecf5a182f024ce9d635b5b4a55d66"
**DEBU[0000] Cached value indicated that idmapped mounts for overlay are supported
DEBU[0000] Setting quota project ID 100001 on /mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea
DEBU[0000] SetQuota path=/mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea, size=0, inodes=0, projectID=100001
DEBU[0000] Created container "b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb"
DEBU[0000] Container "b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb" has work directory "/mnt/data/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata"
DEBU[0000] Container "b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb" has run directory "/run/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata"**
DEBU[0000] Not attaching to stdin
INFO[0000] Received shutdown.Stop(), terminating!        PID=142751
DEBU[0000] Enabling signal proxying
DEBU[0000] Cached value indicated that volatile is being used
**DEBU[0000] overlay: mount_data=lowerdir=/mnt/data/containers/storage/overlay/l/6YJOUZBC74AJBDOVC6MU2YUYKA,upperdir=/mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea/diff,workdir=/mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea/work,nodev,metacopy=on,volatile,context="system_u:object_r:container_file_t:s0:c632,c636"
DEBU[0000] Mounted container "b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb" at "/mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea/merged"
DEBU[0000] Going to mount named volume testVol8
DEBU[0000] Copying up contents from container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb to volume testVol8
DEBU[0000] Created root filesystem for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb at /mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea/merged
DEBU[0000] Made network namespace at /run/netns/netns-20d8cf0e-ca95-3071-1d7e-e9a5deb85bbb for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb**
[DEBUG netavark::network::validation] Validating network namespace...
[DEBUG netavark::commands::setup] Setting up...
[INFO  netavark::firewall] Using nftables firewall driver
[DEBUG netavark::network::bridge] Setup network podman
[DEBUG netavark::network::bridge] Container interface name: eth0 with IP addresses [10.88.0.6/16]
[DEBUG netavark::network::bridge] Bridge name: podman0 with IP addresses [10.88.0.1/16]
[DEBUG netavark::network::core_utils] Setting sysctl value for net.ipv4.ip_forward to 1
[DEBUG netavark::network::core_utils] Setting sysctl value for /proc/sys/net/ipv4/conf/podman0/rp_filter to 2
[DEBUG netavark::network::core_utils] Setting sysctl value for /proc/sys/net/ipv6/conf/eth0/autoconf to 0
[DEBUG netavark::network::core_utils] Setting sysctl value for /proc/sys/net/ipv4/conf/eth0/arp_notify to 1
[DEBUG netavark::network::core_utils] Setting sysctl value for /proc/sys/net/ipv4/conf/eth0/rp_filter to 2
[INFO  netavark::network::netlink] Adding route (dest: 0.0.0.0/0 ,gw: 10.88.0.1, metric 100)
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "POSTROUTING", expr: [Match(Match { left: BinaryOperation(AND(Named(Meta(Meta { key: Mark })), Number(8192))), right: Number(8192), op: EQ }), Masquerade(None)], handle: Some(11), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "NETAVARK-HOSTPORT-SETMARK", expr: [Mangle(Mangle { key: Named(Meta(Meta { key: Mark })), value: BinaryOperation(OR(Named(Meta(Meta { key: Mark })), Number(8192))) })], handle: Some(12), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "PREROUTING", expr: [Match(Match { left: Named(Fib(Fib { result: Type, flags: {Daddr} })), right: String("local"), op: EQ }), Jump(JumpTarget { target: "NETAVARK-HOSTPORT-DNAT" })], handle: Some(13), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "OUTPUT", expr: [Match(Match { left: Named(Fib(Fib { result: Type, flags: {Daddr} })), right: String("local"), op: EQ }), Jump(JumpTarget { target: "NETAVARK-HOSTPORT-DNAT" })], handle: Some(14), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "FORWARD", expr: [Match(Match { left: Named(CT(CT { key: "state", family: None, dir: None })), right: String("invalid"), op: IN }), Drop(None)], handle: Some(15), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "FORWARD", expr: [Jump(JumpTarget { target: "NETAVARK-ISOLATION-1" })], handle: Some(16), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "NETAVARK-ISOLATION-3", expr: [Jump(JumpTarget { target: "NETAVARK-ISOLATION-2" })], handle: Some(18), index: None, comment: None }
[DEBUG netavark::firewall::firewalld] Adding firewalld rules for network 10.88.0.0/16
[DEBUG netavark::firewall::firewalld] Adding subnet 10.88.0.0/16 to zone trusted as source
[INFO  netavark::firewall::nft] Creating container chain nv_2f259bab_10_88_0_0_nm16
[DEBUG netavark::commands::setup] {
        "podman": StatusBlock {
            dns_search_domains: Some(
                [],
            ),
            dns_server_ips: Some(
                [],
            ),
            interfaces: Some(
                {
                    "eth0": NetInterface {
                        mac_address: "06:39:f7:60:00:4a",
                        subnets: Some(
                            [
                                NetAddress {
                                    gateway: Some(
                                        10.88.0.1,
                                    ),
                                    ipnet: 10.88.0.6/16,
                                },
                            ],
                        ),
                    },
                },
            ),
        },
    }
[DEBUG netavark::commands::setup] Setup complete
DEBU[0000] /proc/sys/crypto/fips_enabled does not contain '1', not adding FIPS mode bind mounts
DEBU[0000] Setting Cgroups for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb to machine.slice:libpod:b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d
**DEBU[0000] Workdir "/" resolved to host path "/mnt/data/containers/storage/overlay/2e33f3df776d5a10f3481b06d47abcd52ce6d12b94f3a152ee97201ca7a9d1ea/merged"
DEBU[0000] Created OCI spec for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb at /mnt/data/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata/config.json**
DEBU[0000] /usr/bin/conmon messages will be logged to syslog
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb -u b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb -r /usr/bin/crun -b /mnt/data/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata -p /run/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata/pidfile -n silly_beaver --exit-dir /run/libpod/exits --persist-dir /run/libpod/persist/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/containers/storage/overlay-containers/b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /mnt/data/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /mnt/data/containers/storage/volumes --exit-command-arg --db-backend --exit-command-arg sqlite --exit-command-arg --transient-store=false --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.imagestore=/usr/lib/containers/storage --exit-command-arg --storage-opt --exit-command-arg overlay.mountopt=nodev,metacopy=on --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --stopped-only --exit-command-arg --rm --exit-command-arg b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb]"
INFO[0000] Running conmon under slice machine.slice and unitName libpod-conmon-b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb.scope
DEBU[0001] Received: 142797
INFO[0001] Got Conmon PID as 142790
DEBU[0001] Created container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb in OCI runtime
DEBU[0001] Adding nameserver(s) from network status of '[]'
DEBU[0001] Adding search domain(s) from network status of '[]'
DEBU[0001] found local resolver, using "/run/systemd/resolve/resolv.conf" to get the nameservers
**DEBU[0001] Attaching to container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0001] Starting container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb with command [sh -c dd if=/dev/zero of=/data/testfile bs=1M count=15]
DEBU[0001] Started container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0001] Notify sent successfully
15+0 records in
15+0 records out
15728640 bytes (15.0MB) copied, 0.207084 seconds, 72.4MB/s
DEBU[0002] Checking if container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb should restart**
DEBU[0002] Removing container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0002] Cleaning up container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0002] Tearing down network namespace at /run/netns/netns-20d8cf0e-ca95-3071-1d7e-e9a5deb85bbb for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
[DEBUG netavark::commands::teardown] Tearing down..
[INFO  netavark::firewall] Using nftables firewall driver
[INFO  netavark::network::bridge] removing bridge podman0
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "INPUT", expr: [Match(Match { left: Named(Payload(PayloadField(PayloadField { protocol: "ip", field: "saddr" }))), right: Named(Prefix(Prefix { addr: String("10.88.0.0"), len: 16 })), op: EQ }), Match(Match { left: Named(Meta(Meta { key: L4proto })), right: Named(Set([Element(String("tcp")), Element(String("udp"))])), op: EQ }), Match(Match { left: Named(Payload(PayloadField(PayloadField { protocol: "th", field: "dport" }))), right: Number(53), op: EQ }), Accept(None)], handle: Some(59), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "FORWARD", expr: [Match(Match { left: Named(Payload(PayloadField(PayloadField { protocol: "ip", field: "daddr" }))), right: Named(Prefix(Prefix { addr: String("10.88.0.0"), len: 16 })), op: EQ }), Match(Match { left: Named(CT(CT { key: "state", family: None, dir: None })), right: List([String("established"), String("related")]), op: IN }), Accept(None)], handle: Some(60), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "FORWARD", expr: [Match(Match { left: Named(Payload(PayloadField(PayloadField { protocol: "ip", field: "saddr" }))), right: Named(Prefix(Prefix { addr: String("10.88.0.0"), len: 16 })), op: EQ }), Accept(None)], handle: Some(61), index: None, comment: None }
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "POSTROUTING", expr: [Match(Match { left: Named(Payload(PayloadField(PayloadField { protocol: "ip", field: "saddr" }))), right: Named(Prefix(Prefix { addr: String("10.88.0.0"), len: 16 })), op: EQ }), Jump(JumpTarget { target: "nv_2f259bab_10_88_0_0_nm16" })], handle: Some(62), index: None, comment: None }
[DEBUG netavark::firewall::nft] Removing 4 rules
[DEBUG netavark::firewall::nft] Found chain nv_2f259bab_10_88_0_0_nm16
[DEBUG netavark::firewall::firewalld] Removing firewalld rules for IPs 10.88.0.0/16
[DEBUG netavark::firewall::nft] Matched Rule { family: INet, table: "netavark", chain: "NETAVARK-ISOLATION-3", expr: [Match(Match { left: Named(Meta(Meta { key: Oifname })), right: String("podman0"), op: EQ }), Drop(None)], handle: Some(54), index: None, comment: None }
[DEBUG netavark::firewall::nft] Removing 1 isolation rules for network
[DEBUG netavark::commands::teardown] Teardown complete
DEBU[0002] Successfully cleaned up container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0002] Unmounted container "b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb"
DEBU[0002] Removing all exec sessions for container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb
DEBU[0002] Container b569e996534b169f805d357959e2b0cb113d9067a4e13766ccb05fb8ca0bfeeb storage is already unmounted, skipping...
DEBU[0002] Called run.PersistentPostRunE(podman --log-level=debug run --rm -v testVol8:/data busybox sh -c dd if=/dev/zero of=/data/testfile bs=1M count=15)
DEBU[0002] Shutting down engines

@ak89224
Copy link
Author

ak89224 commented Feb 24, 2025

Hello @mheon / @Luap99 ,

I wanted to kindly follow up on this bug. I understand you are busy, but I'm still encountering this issue and would greatly appreciate any guidance when you have a moment.

Revalidation Steps

I set up a fresh environment on a different machine and followed the documented steps for XFS quota setup, ensuring project ID offsets were configured as per the Podman Quota documentation.

Observations

  • First volume creation (testvol01)

    • Quota was correctly respected both from within containers and when writing from the host.
    • Debug logs indicate: 
      DEBU[0000] Validating options for local driver
DEBU[0000] Clearing PROJINHERIT flag from directory /var/lib/containers/storage/volumes
DEBU[0000] NewControl(/var/lib/containers/storage/volumes): nextProjectID = 200001
DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol01, size=10000000, inodes=0, projectID=200000
testvol01
DEBU[0000] Called create.PersistentPostRunE(podman --log-level=debug volume create --driver local --opt o=size=10M testvol01)
DEBU[0000] Shutting down engines

  • Second volume creation (testvol02) and beyond

    • Quota is not respected from within the container, i.e. inside the _data subdirectory, though it is respected at the volume name directory level when writing from the host.
    • Debug logs indicate: 
      DEBU[0000] Validating options for local driver
DEBU[0000] NewControl(/var/lib/containers/storage/volumes): nextProjectID = 200001
DEBU[0000] Setting quota project ID 200001 on /var/lib/containers/storage/volumes/testvol02
DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol02, size=10000000, inodes=0, projectID=200001
testvol02
DEBU[0000] Called create.PersistentPostRunE(podman --log-level=debug volume create --driver local --opt o=size=10M testvol02)
DEBU[0000] Shutting down engines

Unexpected Behavior

  • The first ever created volume respects quota as expected.
  • Any additional volumes do not enforce quota properly inside _data, but still enforce it at the volume name directory level.
  • Debug logs suggest setProjectID is only being called from the second volume onwards.

Hypothesis

  • The issue might be related to the PROJINHERIT flag (fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT) introduced in this PR.
  • Since the problem starts occurring from the second volume onwards, it seems related to when this flag is applied during project ID assignment.

Would appreciate any insights or suggestions on this. Happy to provide more details or run additional tests if needed.

Thanks!

@mheon
Copy link
Member

mheon commented Feb 24, 2025

You will note that both include a log line about setting a quota:
DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol01, size=10000000, inodes=0, projectID=200000
DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol02, size=10000000, inodes=0, projectID=200001
Both have been assigned separate, valid project IDs, as expected. The inherit flag was only stripped once, for the base directory, as expected.

What do you mean by "at the volume name directory level"? The outer directory is unused aside from containing _data. What are you doing in that directory?

@ak89224
Copy link
Author

ak89224 commented Feb 24, 2025
edited
Loading

You will note that both include a log line about setting a quota: DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol01, size=10000000, inodes=0, projectID=200000 DEBU[0000] SetQuota path=/var/lib/containers/storage/volumes/testvol02, size=10000000, inodes=0, projectID=200001 Both have been assigned separate, valid project IDs, as expected. The inherit flag was only stripped once, for the base directory, as expected.

What do you mean by "at the volume name directory level"? The outer directory is unused aside from containing _data. What are you doing in that directory?

  • When quotas were not respected inside containers for 2nd volume, I tested it manually from the host. I found that the quota is applied only at the testvol02/ directory level, but not inside the _data subdirectory. This means I can write any amount of data inside _data, both from within and outside the container, for the 2nd volume and onwards.

  • However, from the host, I cannot write more than 10MB directly into testvol02/, which suggests that quota enforcement by volumes doesn't set the inherit flag for 2nd volume and onwards.

By volume named directory I mean the the outer directory, testvol02/.

/var/lib/containers/storage/volumes/
└── testvol02/
    └── _data/

Agree both the volumes are being assigned the expected unique id's but for the 2nd volume if you see,
DEBU[0000] Setting quota project ID 200001 on /var/lib/containers/storage/volumes/testvol02
This debug log comes from this, setProjectID

And this part of code is only triggered for 2nd volume and onwards. You can see this line of debug log is missing from the 1st volume creation.

@mheon
Copy link
Member

mheon commented Feb 24, 2025

That log line simply means we already have the quota ID to use cached; it doesn't indicate any difference in functionality, so long as the correct quota ID is set in SetQuota.

@ak89224
Copy link
Author

ak89224 commented Feb 24, 2025

That log line simply means we already have the quota ID to use cached; it doesn't indicate any difference in functionality, so long as the correct quota ID is set in SetQuota.

Agree, but form the 2nd volume onwards, quota enforcement is broken and what's different is that it call the setProjectID which sets the inherit flag on the volPathRoot with a bitwise OR operation.

That's why I'm saying that might me an area of concern.

@mheon
Copy link
Member

mheon commented Feb 24, 2025

Reproduces on 5.3.2. It's not PROJINHERIT, the flag is set properly. Current suspicion is it is due to the project quota of the base /var/lib/containers/storage/volumes directory being shared with the first volume created.

@mheon
Copy link
Member

mheon commented Feb 24, 2025

So PROJINHERIT is set on the top-level volume directory, but not the _data directory underneath. Per the chattr manpage:

A  directory with the 'P' attribute set will enforce a hierarchical structure for project id's.  This means that files and directories created in the directory will inherit the project id of the directory, rename operations are constrained so when a file or directory is moved into another directory, that the project ids must match.  In addition, a hard link to file can only be created when the project id for the file and the destination directory match.

Smells like a potential kernel bug to me? The flag has been set properly, but the expected inheritance of the project ID by child directories and files is not occurring.

@ak89224
Copy link
Author

ak89224 commented Feb 25, 2025

So PROJINHERIT is set on the top-level volume directory, but not the _data directory underneath. Per the chattr manpage:

A  directory with the 'P' attribute set will enforce a hierarchical structure for project id's.  This means that files and directories created in the directory will inherit the project id of the directory, rename operations are constrained so when a file or directory is moved into another directory, that the project ids must match.  In addition, a hard link to file can only be created when the project id for the file and the destination directory match.

Smells like a potential kernel bug to me? The flag has been set properly, but the expected inheritance of the project ID by child directories and files is not occurring.

Based on a quick read of the XFS project quota documentation and the way extended attributes (like the 'P' flag) work in Linux. Here's my understanding of chattr's behavior with the 'P' (inherit) flag:

Removing the Inherit Flag on the Parent:

What happens: Removing the 'P' flag from the parent directory (e.g., /var/lib/containers/storage/volumes/) might not automatically clear the flag from its existing child directories (e.g., testvol02).

Reason: Each directory (or inode) holds its own attributes at creation, and changes to a parent might not cascade to children that already have a set flag.

Manually Enabling the Inherit Flag on a Child:

What happens: If a child directory (like testvol02) did not have the inherit flag because the parent lacked it when it was created, and you later add the flag to testvol02, only new files or directories created inside testvol02 will inherit the project ID. (As per the man page files and dirs will inherit project id's at the time of creation. )

Impact on Existing Subdirectories: My assumption based on the fact that documentation does not mention any retroactive inheritence for children after creation. So, Existing subdirectories (like _data) might not retroactively receive the inherit flag; they remain as they were until explicitly changed.

So, we could say that flag is being set properly but "no retroactive inheritence for existing children after creation" might also be a probable cause as well.

@mheon
Copy link
Member

mheon commented Feb 25, 2025

Retroactive inheritance is likely the cause, now that I've been able to think about this for a day. We need to make setProjectID in c/storage recursive to ensure it applies the quota properly.

@Luap99 This is the third major bug in quota support by my count. We need to get testing for this into CI. I think adding a system test with storage mounted on a loop device could work - does that sound like it would work?

@ak89224 ak89224 changed the title Using --opt o=size=10M on Podman Local Volumes Passes Unsupported 'size' Mount Option on XFS XFS Quota Enforcement Issue: Only Applied at Volume Root, Not Inside _data for Second and Subsequent Podman Volumes Feb 25, 2025
@Luap99
Copy link
Member

Luap99 commented Feb 25, 2025

@Luap99 This is the third major bug in quota support by my count. We need to get testing for this into CI. I think adding a system test with storage mounted on a loop device could work - does that sound like it would work?

Yes some loop device created as root then formatted with xfs should work fine I think, that should also allow us devs to also run the test locally without requiring a special disk setup otherwise.

mheon added a commit to mheon/storage that referenced this issue Feb 25, 2025
@mheon
Recursively set project ID for quota driver
1b3bb5d 
We have previously relied on the PROJINHERIT flag for XFS quotas,
which causes the ID of the parent directory to be recursively
applied to subdirectories under the volume's parent directory.
However, PROJINHERIT only applies to directories created after
the project ID was first set. Pre-existing directories do not
get the project ID if we only set it on the parent. This means
that quota enforcement is not complete unless we recurse to
subdirectories and apply the project ID to those as well.

Fixes containers/podman#25368

Signed-off-by: Matt Heon <mheon@redhat.com>
@mheon mheon linked a pull request Feb 25, 2025 that will close this issue
Open
@ak89224
Copy link
Author

ak89224 commented Feb 25, 2025

@mheon thanks for the quick fix.
I will test this as a patch on 5.3.2

mheon added a commit to mheon/storage that referenced this issue Feb 25, 2025
@mheon
Recursively set project ID for quota driver
b112e7b 
We have previously relied on the PROJINHERIT flag for XFS quotas,
which causes the ID of the parent directory to be recursively
applied to subdirectories under the volume's parent directory.
However, PROJINHERIT only applies to directories created after
the project ID was first set. Pre-existing directories do not
get the project ID if we only set it on the parent. This means
that quota enforcement is not complete unless we recurse to
subdirectories and apply the project ID to those as well.

Fixes containers/podman#25368

Signed-off-by: Matt Heon <mheon@redhat.com>
mheon added a commit to mheon/storage that referenced this issue Feb 25, 2025
@mheon
Recursively set project ID for quota driver
1d83758 
We have previously relied on the PROJINHERIT flag for XFS quotas,
which causes the ID of the parent directory to be recursively
applied to subdirectories under the volume's parent directory.
However, PROJINHERIT only applies to directories created after
the project ID was first set. Pre-existing directories do not
get the project ID if we only set it on the parent. This means
that quota enforcement is not complete unless we recurse to
subdirectories and apply the project ID to those as well.

Fixes containers/podman#25368

Signed-off-by: Matt Heon <mheon@redhat.com>
mheon added a commit to mheon/storage that referenced this issue Feb 25, 2025
@mheon
Do not allowing setting project ID on non-empty directories
6d5de33 
We have previously relied on the PROJINHERIT flag for XFS quotas,
which causes the ID of the parent directory to be recursively
applied to subdirectories under the volume's parent directory.
However, PROJINHERIT only applies to directories created after
the project ID was first set. Pre-existing directories do not
get the project ID if we only set it on the parent. This means
that quota enforcement is not complete if we allow quotas to be
set on directories that are not empty. We could set recursively
but that comes with its own problems; quotas on directories that
contain pre-existing files behave strangely.

Relevant to containers/podman#25368 but
is not a fix for that PR, more of a cleanup to make sure we don't
make the same mistake elsewhere.

Signed-off-by: Matt Heon <mheon@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Recursively set project ID for quota driver mheon/storage
3 participants
@mheon @Luap99 @ak89224