storage: add option force_mask= and permissions_xattr= #744
Conversation
giuseppe
force-pushed
the
force-mask
branch
2 times, most recently
from
e3b4315 to
04dd4d0
Compare
|
What is 493? force_mask = 493 |
that is Unfortunately toml doesn't support octals. Should we use a string or just document it? |
|
Yes it should be a string. Humans will not understand this number. |
changed to be a string. |
|
So this means every file and directory will be marked 0755? I guess we need to talk about what you are after here? Should we separate the files from the directories. Would this make /etc/shadow inside of a container work readable to content in the container? |
yes, every file and directory in the container image will get the mode 0755. I didn't want to expose too much of the fuse-overlayfs internals in containers/storage. If we extend containers/storage to write the original permission mask (+owner uid/gid) in an extended attribute that fuse-overlayfs understands, we could keep the same privileges at mount time. What do you think about it? |
|
I think we should have a quick meeting to discuss this. |
giuseppe
changed the title
|
Should this be an option in storage.conf, or just something set by podman and Buildah for rootless users? |
|
The issue I have with this, is that this effects rootfull as well as rootless users. |
IMO, it should be something users set explicitly and not enabled by default. With the wrong fuse-overlayfs version containers will have the wrong permissions for the files. I see a good use case for root as well. We can make images available to rootless users as a rootless user can read all the files in the root storage. With this feature we can enable a read-only storage owned by root and accessible to rootless users. We can discuss it further at the tomorrow meeting. |
|
Ok. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
As mentioned elsewhere, if there’s only one value of force_mask that works usefully, and only one value of permissions_xattr that works at all, I’m not a fan of making this available as individual options — and requiring users to know the magic values.
Provide a higher-level permissions_mechanism=native|fuse-overlayfs, which instructs the code to do whatever is necessary to interoperate with fuse-overlayfs. That still allows us to support future permissions mechanisms in the future, but does not imply any assumptions about how those mechanisms work (i.e. that things are stored in an extended attribute at all, let alone using a specific format).
|
permissions_mechanism=native|shared? I would prefer not to hard code fuse-overlay in this as well. Setting it shared basically means the images are all world readable. |
|
I've added the I like making force_mask more user friendly and support |
|
I am fine with the three options, but having a general user have to figure out 0755 or 0000 stinks versus native and shared. |
giuseppe
force-pushed
the
force-mask
branch
2 times, most recently
from
454c5f6 to
cc6f09b
Compare
|
Per the other conversation, we might actually want two independent parameters (please suggest better names); “NFS-hosted” does not automatically imply “OK-to-share”.
(Are there any actual multi-user consumers that will benefit, or is it just theoretical at this point? Multi-user computers are increasingly rare.) |
I am very interested in getting this working. In our lab we use a shared network file system and configure all hosts with slurm to better utilize our limited resources. This is especially important for machine learning topics where it gets more an more challenging to get the frameworks working with all their wide dependencies. Being able to use containers would be a big win. |
giuseppe
force-pushed
the
force-mask
branch
2 times, most recently
from
3d067d4 to
fcb371d
Compare
docs/containers-storage.conf.5.md
Outdated
| "private": it is equivalent to 0700. The owner has rwx access to the files. | ||
| "shared": it is equivalent to 0755. The owner has rwx access to the files and everyone else can read, access and execute them. | ||
|
|
||
| **permissions_xattr** = "" |
There was a problem hiding this comment.
Should this be a constant? Or at least document the one that fuse-overlay will use. Not sure why users would expect more then one xattr?
There was a problem hiding this comment.
I think this is useless complexity. Just store the attributes in storage.dac.permissions or something and be done with it.
There was a problem hiding this comment.
I didn't want to hard code "fuse-overlayfs" in containers/storage. I can document it better that it is expected to be used with fuse-overlayfs, and perhaps explain how fuse-overlayfs uses it
There was a problem hiding this comment.
Why not just define a "storage" xattr and have fuse-overlyfs deal with it?
There was a problem hiding this comment.
fuse-overlayfs currently handles every user.fuseoverlayfs* as a private namespace, while any other xattr is not filtered out. If we add a storage xattr we'd have to handle a separate namespace and not permit it inside of the containers, so user.storage or user.containers won't be available to container processes.
| SkipMountHome string `toml:"skip_mount_home"` | ||
| // ForceMask indicates a mask of permissions (e.g. "0755") that are always set for | ||
| // created files. The file permissions will be: ORIGINAL_PERMISSIONS | FORCE_MASK. | ||
| ForceMask string `toml:"force_mask"` |
There was a problem hiding this comment.
Should this be ORed, just an assignment (if not in the “native” case)? I don’t see why a file that is 0755 inside a container should be readable over NFS by users that have nothing to do with that file.
Note the recent realization that the / directory is frequently not a part of a container image, so we are defaulting it to 0555 = making every container’s root directory world-readable by default.
Or is this all pretty much irrelevant because the top-level permissions of c/storage are by default strict enough? Is that true, and reliable enough?
There was a problem hiding this comment.
for the NFS case, the mask to use is 0700 so they won't become world readable (unless they were already so that ORing the original permission with 0700 won't change the group and world permissions).
The ForceMask=0755 is a different use case. That is useful to share the storage with other users. In that cases all the files/directories must be world readable and accessible.
Do you think we should make this distinction clearer somehow?
There was a problem hiding this comment.
I’m not disputing the 0700/0755 values. But consider that the default permissions of / in a container are 0555, so even in the “private” setting, the file will end up with external 0755 (and an in-container 0777 file would end up 0777 external regardless of ForceMask). Is that OK, or should the file really end up exactly 0700/0755?
There was a problem hiding this comment.
I am not sure. Both ways are enough for the NFS storage and shared storage cases.
I thought having the ForceMask work as an "opposite" umask could give more flexibility in the future, but at the moment I cannot think of any other use case where it would be useful
There was a problem hiding this comment.
I've changed the semantic to mean "final permissions mask". I guess it is easier to understand and also avoids some issues if a file in an image is world writeable and we end up opening the image to every other user.
pkg/config/config.go
Outdated
| // PermissionsXattr is specified is the xattr where the original file | ||
| // permissions for the file are stored using the format UID:GID:MODE. | ||
| // It is useful together with ForceMask. | ||
| PermissionsXattr string `toml:"permissions_xattr"` |
There was a problem hiding this comment.
(I’d still prefer a higher-level option but if this is the consensus, I can live with it.)
|
In my opinion having the force-mask is all you need. This tells containers/storage to store all of the content with that mask and to save the real owner/group/permissions in a storage defined xattr. Once this is standardized, then we can take third party tools like fuse-overlay and use it present the owner/group/permissions to the callers. @nalind Might prefer this to be a separate driver then to override the overlay driver. How much work would it be to create a fuse-overlay driver rather? Would that make more sense then to store data that the native overlay driver does not understand? |
giuseppe
force-pushed
the
force-mask
branch
2 times, most recently
from
f238780 to
ee42141
Compare
|
I've dropped the second option and always write
would it be ok if we restrict the use case to |
|
Ok force the mount_program. |
docs/containers-storage.conf.5.md
Outdated
| **ignore_chown_errors** = "false" | ||
| ignore_chown_errors can be set to allow a non privileged user running with a single UID within a user namespace to run containers. The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container. These images will have no separation between the users in the container. (default: false) | ||
|
|
||
| **force_mask** = "0000|native|shared|private" |
There was a problem hiding this comment.
Need to mention here that it requires mount_program.
There was a problem hiding this comment.
fixed. Should we mark it as experimental for now so we keep some freedom to change it if we need?
From a quick look, I can’t see anything that prevents this to be set from inside the container (I’m worried about allowing a low-privileged in-container user to escalate to a high-privileged in-container user via a set-UID executable); from a quick search I found |
|
Yes fuse-overlay will need to be changed to prevent from the setting of the file attribute. |
|
Thanks for the hint. I've not done it previously as the user already needs write permissions to use setxattr on that file. In any case, I've opened a PR to always block it: containers/fuse-overlayfs#258 |
|
marked as experimental ⬆️ |
rhatdan
left a comment
rhatdan
left a comment
There was a problem hiding this comment.
Can you also update the default storage.conf file and add the commented out force_mask flag and an explanation of what it is,
giuseppe
force-pushed
the
force-mask
branch
2 times, most recently
from
e0dea11 to
3d4111c
Compare
force_mask sets a permission mask used for the new files and directories. It is useful for using a NFS share for the rootless storage. It requires this change in fuse-overlayfs: containers/fuse-overlayfs#246 [storage] driver = "overlay" graphroot = "/mnt/nfs/home/storage" [storage.options] size = "" mountopt = "xattr_permissions=2" [storage.options.overlay] force_mask = "0755" ignore_chown_errors = "true" Signed-off-by: Giuseppe Scrivano <[email protected]>
if force mask is configured, store the original permissions in the 'user.containers.override_stat` xattr. Signed-off-by: Giuseppe Scrivano <[email protected]>
|
LGTM |
5 participants
force_mask sets a permission mask used for the new files and directories.
It is useful for using a NFS share for the rootless storage. It requires this change in fuse-overlayfs:
permissions_xattr, if it is set then it for each file write its original permissions to the specified extended attribute.
Together with force_mask= it allows to use NFS as a backing store for rootless containers:
containers/fuse-overlayfs#246
Signed-off-by: Giuseppe Scrivano [email protected]