Skip to content

Limited support for operating on images on macOS #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rhatdan merged 2 commits into from
Jun 6, 2022
Merged

Limited support for operating on images on macOS #811

rhatdan merged 2 commits into from
Jun 6, 2022

Conversation

@slp
Copy link
Contributor

@slp slp commented Jan 25, 2021

Support managing images as an unprivileged user on macOS, by storing
user ownership and file mode bits as extended attributes. This is
mainly intended to be used on libkrun-based lightweight VMs, where its
virtio-fs implementation reads those attributes and translates them
for the Guest.

In this implementation, the decision to either store those bits as
either extended attributes for virtio-fs or actual permission and
ownerships values on the filesystem, is done by checking in-place if
the current operating system is "darwin" and uid != 0. This way, we
avoid the need to extend the interface by adding a new configuration
option. On the other hand, if it's found to be useful for other
systems, we should implmement a proper tunable.

Signed-off-by: Sergio Lopez [email protected]

@rhatdan
Copy link
Member

rhatdan commented Jan 25, 2021

@giuseppe PTAL
This seems pretty similar to what @giuseppe is doing for handling rootless containers on an NFS based homedir. We should coordinate the name-ing of the xattrs?

@giuseppe
Copy link
Member

giuseppe commented Jan 26, 2021

This seems pretty similar to what @giuseppe is doing for handling rootless containers on an NFS based homedir. We should coordinate the name-ing of the xattrs?

yes this is similar to what we do on NFS with #744

@slp would that work for you?

@slp
Copy link
Contributor Author

slp commented Jan 28, 2021

This seems pretty similar to what @giuseppe is doing for handling rootless containers on an NFS based homedir. We should coordinate the name-ing of the xattrs?

yes this is similar to what we do on NFS with #744

@slp would that work for you?

We need more changes to detect rootless in Darwin, but certainly #744 gets us closer. I'm going to rework this PR around forceMask to reduce the number of changes.

Thanks!

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2021

@slp Are you still interested in this PR or should we close?

@slp
Copy link
Contributor Author

slp commented Dec 14, 2021

@rhatdan This PR needs a complete rework, and I honestly don't know when I'll be able to do that, so let's close this one for the moment.

@slp slp closed this Dec 14, 2021
slp added 2 commits June 6, 2022 07:57
@slp
archive: move containersOverrideXattr to idtools
cbe248e 
We're going to need to reference containersOverrideXattr from idtools
in the next commit. Since archive.go is already importing idtools.go,
move containersOverrideXattr to the latter and make it public, so we
don't need to alter the imports.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
Limited support for operating on images on macOS
7617ae3 
Supporting macOS presents a number of challenges since the lack of
user namespaces means that operations that alter the ownership or
permissions on a file face harsh limitations, since are requested by
an unprivileged user that may need to potentially operate on arbitrary
uids/gids.

To overcome this challenges, we rely on the existing "forceMask"
feature to store the actual ownership and permission bits as an
extended attribute entry on each file.

In addition to automatically enabling "forceMask" when running on
macOS, we also need some minor changes to ensure the compatibility
with this OS. The most significant is the fact that, on macOS
SafeLchmod and SafeChmod also operate on the extended attributes, to
allow us to properly create the directories supporting the image.

With this changes in place, buildah is able to perform basic
operations on OCI images, such as downloading the image, creating a
working container, and removing them.

Signed-off-by: Sergio Lopez <[email protected]>
@slp slp reopened this Jun 6, 2022
@slp
Copy link
Contributor Author

slp commented Jun 6, 2022

@rhatdan @giuseppe I finally got around to rework this PR. As suggested (thanks Giuseppe!) this PR now relies on the existing forceMask functionality to store the permission and ownership bits as an extended attribute on each file. With this and a couple of minor changes here and there, we're able to support basic image operations on macOS.

All the functional changes are gated behind runtime and build-time conditionals checking for "darwin", so other targets shouldn't be affected by this change. I also tried to keep the changes minimal to ensure no significant increase in the maintainership costs.

@slp slp changed the title RFC: Support managing images as an unpriv user on macOS Limited support for operating on images on macOS Jun 6, 2022
giuseppe
giuseppe approved these changes Jun 6, 2022
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan
Copy link
Member

rhatdan commented Jun 6, 2022

LGTM

@rhatdan rhatdan merged commit 2b2fb9f into containers:main Jun 6, 2022
@slp slp mentioned this pull request Jun 9, 2022
Merged
This was referenced Oct 19, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giuseppe giuseppe giuseppe approved these changes

@rhatdan rhatdan rhatdan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slp @rhatdan @giuseppe