fuse-overlayfs: enable shifting #195
Conversation
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
6 times, most recently
from
89ca5f1
to
cec74cd
Compare
|
LGTM |
|
I'll probably need to rebase this PR on top of #199 |
|
let's merge the other one first, as it addresses some real issues :-) |
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
from
cec74cd
to
45588a6
Compare
|
rebased ⬆️ |
|
Should supports_shifting be a flag in the storage.conf? Rather then force any mount driver to support shifting? |
|
I don't think that making assumptions based on whether or not the |
| @@ -1033,16 +1038,22 @@ func (s *store) imageTopLayerForMapping(image *Image, ristore ROImageStore, read | |||
| } | |||
| rc, err := layerHomeStore.Diff("", layer.ID, &diffOptions) | |||
| if err != nil { | |||
| return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it") | |||
| return nil, errors.Wrapf(err, "error reading layer %q to create an ID-mapped version of it", layer.ID) | |||
|
This needs tests. How does a caller "know" which ID mappings to use when launching a container using a layer with this setting enabled as its rootfs? Previously, they'd consult the information recorded along with the layer, but we appear to be setting that information to indicate that host mappings should be used, while quietly using the global default mappings for the actual mounting. What happens when we create a new layer that uses the new feature, using a parent layer that didn't, but which used a non-default set of ID mappings? |
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
from
45588a6
to
ce9d2bf
Compare
I thought I could propagate this information from podman, for example when starting a container that was previously created. I tried to do it, but it doesn't look nice. Where is the best place to store this information? When we mount directly the layer we don't know what mappings were used when it was created |
|
We keep track of the mappings that a layer is created for using its |
|
should I store that we are using shifting or we should allow only one mode to be used (either shifting enabled or not)? Also, how should I pass down the information about uid/gid mappings into the driver? We add two more arguments to |
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
6 times, most recently
from
3a5c2c8
to
10b55c3
Compare
|
test added ⬆️ |
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
3 times, most recently
from
8343967
to
0acf8e9
Compare
|
is the new option blocking this PR? |
|
I'd like to get this moving, should I add an option for enabling shifting or is it fine as the current PR does to assume it is supported by the FUSE implementation? |
|
I think we should just assume the mount_program does the shifting. |
vagrant/provision.sh
Outdated
| @@ -4,20 +4,6 @@ set -xe | |||
| source /etc/os-release | |||
|
|
|||
| case "${ID_LIKE:-${ID:-unknown}}" in | |||
| debian) | |||
There was a problem hiding this comment.
Why are you removing debian testing?
tests/helpers.bash
Outdated
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| STORAGE_BINARY=${STORAGE_BINARY:-$(dirname ${BASH_SOURCE})/../containers-storage} | |||
| TESTSDIR=${TESTSDIR:-$(dirname ${BASH_SOURCE})} | |||
| STORAGE_DRIVER=${STORAGE_DRIVER:-vfs} | |||
| STORAGE_DRIVER=${STORAGE_DRIVER:-overlay} | |||
There was a problem hiding this comment.
@nalind is this something that will work everywhere?
tests/helpers.bash
Outdated
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| STORAGE_BINARY=${STORAGE_BINARY:-$(dirname ${BASH_SOURCE})/../containers-storage} | |||
| TESTSDIR=${TESTSDIR:-$(dirname ${BASH_SOURCE})} | |||
| STORAGE_DRIVER=${STORAGE_DRIVER:-vfs} | |||
| STORAGE_DRIVER=${STORAGE_DRIVER:-overlay} | |||
There was a problem hiding this comment.
I'm not okay with changing this testing default -- it trades running tests with the driver that always has to work for running them with another.
tests/idmaps.bats
Outdated
| overlay*) | ||
| ;; | ||
| *) | ||
| skip "not supported by driver $STORAGE_DRIVER" |
There was a problem hiding this comment.
Indentation for these two lines is backwards.
|
If the mount program takes care of shifting, then we basically can never not use the option on a given layer once we've set up a layer that needs it, even if the configuration changes to no longer include using the mount program that provides the feature, because the layer essentially becomes "broken". We need to be keep track of this somehow to avoid creating a problem for callers when this happens. |
…tion Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
do not create a new image with different uid/gid if the driver has support for shifting. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
from
0acf8e9
to
79d12e0
Compare
|
@nalind the layer is stored without any mapping done. The translation happens only at runtime. For example, from a podman container with # touch foobar foobar2
# chmod 998:999 foobar2and from the host: so the shifting has the opposite effect of running with a mapping enabled, are there cases when this is not enough? |
|
We're changing what's stored in the |
|
yes good point, we should error out when we try to mount the same layer/container and not using shifting. I've added a patch for doing it, now I've: # podman --storage-opt overlay.mount_program=/usr/local/bin/fuse-overlayfs run --uidmap 0:100000:100000 --name test1 fedora echo hello
hello
# podman start -a test1
unable to start container b991456592f83b96b7675b54bdde84d0249686f1eec676261051f39f74b831f8: error mounting storage for container b991456592f83b96b7675b54bdde84d0249686f1eec676261051f39f74b831f8: cannot mount layer 3160cc1b237be611c580ddb2a61076491506caf1b8f9ff0080e5a2dbaa353d1a: shifting not enabled
|
tests/idmaps.bats
Outdated
| createrandom "$lowermount"/file | ||
| storage unmount $layer | ||
|
|
||
| imagename=idmappedimage-shifting |
There was a problem hiding this comment.
Mixing tabs and spaces makes this diff look weird.
|
LGTM |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
2 times, most recently
from
1b4c904
to
4ff0bde
Compare
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
fuse-overlayfs-shifting
branch
from
4ff0bde
to
3f55e5a
Compare
|
@rhatdan tests are passing |
FUSE overlayfs has builtin support for UID/GID shifting so that we don't need to re-create a new image when using different mappings for the user namespaces.
When the FUSE backend is used, don't create a new image and chown it, but let the FUSE backend do the remapping on the fly.
Starting with an empty
/var/lib/containers/storage:/cc @rhatdan @nalind @rhvgoyal @AkihiroSuda