daemon/graphdriver/overlay2: set TarOptions.InUserNS for native differ

thaJeztah · thaJeztah · commit 6521057bb2bb · 2024-06-28T12:38:40.000+02:00
Commits b2fd67d (and the follow-up commit f6b8025) updated doesSupportNativeDiff to detect whether the host can support native overlay diffing with userns enabled. As a result, [useNaiveDiff] would now return "false" in cases where it previously would return "true" (and thus skip). However, [overlay2], unlike [fuse-overlay] did not take user namespaces into account, when using the native differ, and it therefore did not set the InUserNS option in TarOptions. As a result pkg/archive.createTarFile would attempt tocreate [device-nodes] through [handleTarTypeBlockCharFifo] which would fail, but the resulting error `EPERM` would be discarded, and `createTarFile` would not return early, therefor attempting to [os.LChown] the missing file, ultimately resulting in an error: failed to Lchown "/dev/console" for UID 0, GID 0: lchown /dev/console: no such file or directory This patch fixes the missing option in overlay. [useNaiveDiff]: https://github.com/moby/moby/blob/47eebd718f332f29a38455b61ee879ced5bc219b/daemon/graphdriver/overlay2/overlay.go#L248-L256 [overlay2]: https://github.com/moby/moby/blob/47eebd718f332f29a38455b61ee879ced5bc219b/daemon/graphdriver/overlay2/overlay.go#L684-L689 [fuse-overlay]: https://github.com/moby/moby/blob/47eebd718f332f29a38455b61ee879ced5bc219b/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go#L456-L462 [device-nodes]: https://github.com/moby/moby/blob/ff1e2c0de72a1bbbe4cdbe1558da57d327899df5/pkg/archive/archive.go#L713-L720 [handleTarTypeBlockCharFifo]: https://github.com/moby/moby/blob/47eebd718f332f29a38455b61ee879ced5bc219b/pkg/archive/archive_unix.go#L110-L114 [os.LChown]: https://github.com/moby/moby/blob/ff1e2c0de72a1bbbe4cdbe1558da57d327899df5/pkg/archive/archive.go#L762-L773 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
@@ -14,6 +14,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/containerd/containerd/pkg/userns"
 	"github.com/containerd/continuity/fs"
 	"github.com/containerd/log"
 	"github.com/docker/docker/daemon/graphdriver"
@@ -678,14 +679,14 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64
 		return d.naiveDiff.ApplyDiff(id, parent, diff)
 	}
 
-	// never reach here if we are running in UserNS
 	applyDir := d.getDiffPath(id)
 
 	logger.Debugf("Applying tar in %s", applyDir)
 	// Overlay doesn't need the parent id to apply the diff
 	if err := untar(diff, applyDir, &archive.TarOptions{
 		IDMap:          d.idMap,
 		WhiteoutFormat: archive.OverlayWhiteoutFormat,
+		InUserNS:       userns.RunningInUserNS(),
 	}); err != nil {
 		return 0, err
 	}
