RFC: Initial support of idmapped mount points #5888
Conversation
Previously the only fuse-overlayfs supports "--remap-labels" option. Since idmapped mounts were landed to Linux kernel v5.12 it becomes possible to use it with overlayfs via mount_setattr() system call. The approach is the same that used in fuse-overlayfs snapshotter https://github.com/containerd/fuse-overlayfs-snapshotter implemented by Akihiro Suda <[email protected]> The changes are based on experimental patchset published by Mauricio Vásquez containerd#4734. Signed-off-by: Mauricio Vásquez <[email protected]> Signed-off-by: Artem Kuzin <[email protected]>
This patch introduce idmapped mounts support for container rootfs. The only CTR tool is correnty supported CRI wil be updated in scope of separate patchset. The idmapped mounts support was merged in Linux kernel 5.12 torvalds/linux@7d6beb7. This functionality allows to address chown overhead for containers that use user namespace. The changes are based on experimental patchset published by Mauricio Vásquez containerd#4734. Current version reiplements support of idmapped mounts using Golang. Performance measurement results: Image idmapped mount recurcive chown BusyBox 00.135 04.964 Ubuntu 00.171 15.713 Fedora 00.143 38.799 Signed-off-by: Mauricio Vásquez <[email protected]> Signed-off-by: Artem Kuzin <[email protected]>
|
Hi @artqzn. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
AkihiroSuda
added
kind/feature
status/needs-discussion
|
Build succeeded.
|
brauner
left a comment
brauner
left a comment
There was a problem hiding this comment.
Since idmapped mounts were landed to Linux kernel v5.12 it becomes
possible to use it with overlayfs via mount_setattr() system call.
Hello,
Thanks for continuing the work on this. I'm the author of the idmapped mount work. Note that idmapped mounts are not yet supported with overlayfs. I'm currently working on this but this will still take a little. Idmapped mounts can currently be created for:
ext4,fat,xfsstarting with kernel5.12btrfswith kernel5.15
Hello Christian. Thank you for the comment. Yes, I know that idmapped mounts for overlayfs are currently unsupported by Linux kernel. I think this changes shouldn't break anything. In case of Linux kernel doesn't have necessary support mount_setattr() will fail and container start will be aborted. Thank you! |
|
Hi, unfortunately I've accidentally delete the branch and have to re-create the PR. Thank you in advance! |
5 participants
Hi,
this is this is initial support of idmapped mount points in containerd. The original PR was published by @mauriciovasquezbernal here #4734.
Updates:
In current patch set the only idmapped mount points functionality is implemented. I think that user namespace support for containerd should be integrated separately, please share your opinion, maybe I am wrong here. I don't know if anybody is working on it, if no I would like to work on user namespaces support also.
Dear reviewers, could you please check this PR.
Thank you in advance!
cc @alban @rata @mauriciovasquezbernal @AkihiroSuda