Skip to content

rootless: disable overlay2 if running with SELinux #42334

Merged
cpuguy83 merged 2 commits intomoby:masterfrom
AkihiroSuda:rootless-overlay2-k511-selinux
Jun 3, 2021
Merged

rootless: disable overlay2 if running with SELinux #42334
cpuguy83 merged 2 commits intomoby:masterfrom
AkihiroSuda:rootless-overlay2-k511-selinux

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Apr 28, 2021
edited
Loading

Contains #42199 (dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts)

- What I did

Close #42333 (rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied. )

- How I did it
Disable overlay2 when $_DOCKERD_ROOTLESS_SELINUX is set.

We can't rely on go-selinux.GetEnabled() because RootlessKit doesn't mount /sys/fs/selinux in the child: rootless-containers/rootlesskit#94

- How to verify it

  • Install to Fedora 34
  • Make sure docker info shows fuse-overlayfs as the default storage driver on rootless, while retaining overlay2 on rootful
  • Make sure docker run hello-world works on rootless

- Description for the changelog

rootless: disable overlay2 if running with SELinux
- A picture of a cute animal (not mandatory but encouraged)
🐧

@AkihiroSuda
dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts
cdaf82b 
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401

Tested on Fedora 34

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
rootless: disable overlay2 if running with SELinux
4300a52 
Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux.

On the other hand, fuse-overlayfs is compatible.

Close issue 42333

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda AkihiroSuda force-pushed the rootless-overlay2-k511-selinux branch from b0c03f7 to 4300a52 Compare April 28, 2021 09:22
@AkihiroSuda AkihiroSuda requested a review from kolyshkin May 5, 2021 06:56
@AkihiroSuda AkihiroSuda requested review from cpuguy83 and thaJeztah May 18, 2021 05:26
thaJeztah
thaJeztah approved these changes May 19, 2021
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM 😞

did we have this mentioned in the documentation already as a known limitation?

daemon/graphdriver/overlayutils/overlayutils.go
if os.Getenv("_DOCKERD_ROOTLESS_SELINUX") == "1" {
// Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux,
// so fallback to fuse-overlayfs.
// https://github.com/moby/moby/issues/42333
Copy link
Member

@thaJeztah thaJeztah May 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no known fix yet? Is this a kernel bug?

Copy link
Member Author

@AkihiroSuda AkihiroSuda May 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not sure, I guess we can revisit this after the release of Fedora 35

@thaJeztah thaJeztah added this to the 21.xx milestone May 19, 2021
@thaJeztah
Copy link
Member

thaJeztah commented May 19, 2021

Wondering if this should actually "close" #42333, or if we need to keep that one open for tracking? wdyt?

@AkihiroSuda AkihiroSuda requested a review from tonistiigi May 20, 2021 05:04
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 22, 2021

Wondering if this should actually "close" #42333, or if we need to keep that one open for tracking? wdyt?

I think we can close it, and reopen when there is any action we can actually work on.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Jun 1, 2021

Can we get this and #42199 in v20.10.7? 🙏

@tiborvass @cpuguy83 @tonistiigi PTAL

@cpuguy83
Copy link
Member

cpuguy83 commented Jun 3, 2021

@AkihiroSuda sorry, my email backlog has been growing :(

cpuguy83
cpuguy83 approved these changes Jun 3, 2021
View reviewed changes
Copy link
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit 20eb137 into moby:master Jun 3, 2021
@AkihiroSuda AkihiroSuda mentioned this pull request Jun 4, 2021
Merged
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Jun 4, 2021

Cherry-pick to 20.10: #42462

@irgama irgama mentioned this pull request Feb 16, 2023
Closed
@AkihiroSuda AkihiroSuda mentioned this pull request Aug 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

Assignees

No one assigned

Labels

area/rootless Rootless Mode area/security/selinux area/storage/overlay kind/bugfix PR's that fix bugs process/cherry-picked

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied.

3 participants

@AkihiroSuda @thaJeztah @cpuguy83