Skip to content

d/g/overlayutils: improve SupportsOverlay checks#45890

Draft
neersighted wants to merge 3 commits intomoby:masterfrom
neersighted:better_supportsoverlay
Draft

d/g/overlayutils: improve SupportsOverlay checks#45890
neersighted wants to merge 3 commits intomoby:masterfrom
neersighted:better_supportsoverlay

Conversation

@neersighted
Copy link
Member

@neersighted neersighted commented Jul 5, 2023
edited
Loading

- What I did
Adjust the logic in SupportsOverlay, to both check for SELinux support more holistically, and to check the underlying filesystem for support for vfs operations required by overlayfs in some cases, but that don't prevent a mount.

This prevents recent versions of OpenZFS that don't truly support overlayfs from being selected for use.

- How I did it

Reading the kernel source/experimentally.

- How to verify it

TODO

- Description for the changelog
TODO

- A picture of a cute animal (not mandatory but encouraged)

@neersighted neersighted added area/storage/overlay status/2-code-review kind/bugfix PR's that fix bugs kind/refactor PR's that refactor, or clean-up code labels Jul 5, 2023
@neersighted neersighted added this to the 25.0.0 milestone Jul 5, 2023
@neersighted neersighted force-pushed the better_supportsoverlay branch from 225ff4c to 952873e Compare July 5, 2023 16:55
@neersighted
d/g/overlayutils: improve SupportsOverlay SELinux logic
3dedfe8 
We now do a function test for SELinux, in order to ensure that future
improvements to the kernel/RootlessKit are detected instead of
hardcoding assumptions.

Likewise, we make sure to check `selinux.GetEnabled()` in case the
RootlessKit workaround becomes unnecessary.

Signed-off-by: Bjorn Neergaard <[email protected]>
@neersighted
d/g/overlayutils: clean up SupportsOverlay
8aa9ff8 
No functional changes, simply restructure the existing implementation to
be a bit easier to read.

Signed-off-by: Bjorn Neergaard <[email protected]>
@neersighted neersighted force-pushed the better_supportsoverlay branch from 952873e to 8848b30 Compare July 5, 2023 17:35
@neersighted neersighted force-pushed the better_supportsoverlay branch from 8848b30 to 111fe76 Compare July 5, 2023 17:38
corhere
corhere reviewed Jul 7, 2023
View reviewed changes
daemon/graphdriver/overlayutils/overlayutils.go
if err := os.WriteFile(f3, []byte{}, 0o700); err != nil {
return err
}
err = unix.Renameat2(0, f3, 0, f4, unix.RENAME_WHITEOUT)
Copy link
Contributor

@corhere corhere Jul 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The manpage says that renameat2(RENAME_WHITEOUT) will fail with EPERM if the caller does not have the CAP_MKNOD capability. Could this result in false negatives (i.e. detect it is unsupported when the kernel and backing fs actually do support it) in Rootless Docker? Perhaps this check should be more limited, considering it a failure iff the error is EINVAL, or considering EPERM to be "inconclusive?" Or is there some sequence of operations we could perform on the overlayfs to indirectly test the filesystem support for RENAME_WHITEOUT without needing the process to have that capability?

@neersighted neersighted mentioned this pull request Jul 10, 2023
Closed
26 tasks
@neersighted neersighted mentioned this pull request Aug 30, 2023
Open
@corhere corhere mentioned this pull request Oct 13, 2023
Closed
@thaJeztah thaJeztah mentioned this pull request Nov 17, 2023
Closed
@dymk
Copy link

dymk commented Nov 25, 2023

Based on discussion in openzfs/zfs#8648 , would it be correct to assume that issues such as #46337 will be solved if one is running on OpenZFS 2.2+ (once it's released) without these improved OverlayFS checks?

@thaJeztah thaJeztah modified the milestones: 25.0.0, v-future Jan 17, 2024
@iBug
Copy link

iBug commented Jan 25, 2024

would it be correct to assume that issues such as #46337 will be solved if one is running on OpenZFS 2.2+ (once it's released) without these improved OverlayFS checks?

Yes. See my comment on 46337, with experiments.

@jyrkka jyrkka mentioned this pull request Mar 13, 2024
Closed
@corhere corhere mentioned this pull request Jun 25, 2024
Open
@thaJeztah thaJeztah mentioned this pull request Feb 15, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corhere corhere corhere left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/storage/overlay kind/bugfix PR's that fix bugs kind/refactor PR's that refactor, or clean-up code status/2-code-review

Projects

None yet

Milestone

v-future

Development

Successfully merging this pull request may close these issues.

docker pull inside rootless LXC: failed to register layer: ApplyLayer exit status 1 stdout: stderr: unlinkat

5 participants

@neersighted @dymk @iBug @corhere @thaJeztah