Re: Using overlayfs in (unprivileged) namespace

From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: Philipp Wendler <ml-PRuqubkS1MrCxoAYUeDZubNAH6kLmebB@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: Using overlayfs in (unprivileged) namespace
Date: Mon, 15 Feb 2016 18:18:17 +0000	[thread overview]
Message-ID: <20160215181817.GA23391@ubuntumail> (raw)
In-Reply-To: <56C1B0C6.6080806-PRuqubkS1MrCxoAYUeDZubNAH6kLmebB@public.gmane.org>

Quoting Philipp Wendler (ml-PRuqubkS1MrCxoAYUeDZubNAH6kLmebB@public.gmane.org):
> Hello all,
> 
> I would like to mount an overlayfs inside unprivileged user and mount
> namespaces (i.e., the user creating the namespaces is a regular user
> with no special privileges).
> This works mostly fine, but it fails as soon as I try to delete a file
> which exists in the "lower" directory of the overlay,
> because overlayfs then needs to create a "whiteout" file,
> for which it uses a device node with 0/0 device number
> (https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt),
> but I do not have the permission to create device nodes.
> 
> Is there any way to make overlayfs work fully in my situation,
> without requiring additional privileges?
> If not, is this something that could be made work in the future?
> Of course, creating arbitrary devices nodes is something that cannot be
> granted to an unprivileged user, but in this case it is only a specific
> device node with device numbers 0/0, and it is a kernel module creating
> the device node on behalf of me.
> 
> I am currently using Linux 4.2. To reproduce the problem,

Exactly what version from where?

It sounds to me like you're hitting

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1531747

> you can use the following steps:
> Create the mount and user namespaces with the example program from the
> user_namespaces man page
> (http://man7.org/linux/man-pages/man7/user_namespaces.7.html),
> mapping the user root inside the namespace to my user:
> 
> $ ./userns_child_exec -m -U -z bash
> 
> Then execute the following commands:
> 
> mkdir /tmp/namespace-overlay
> cd /tmp/namespace-overlay
> mkdir mount lower upper work
> touch lower/test
> mount -t overlayfs n -o lowerdir=lower,upperdir=upper,workdir=work mount
> rm mount/test
> 
> The last command gives:
> > rm: cannot remove 'mount/test': Operation not permitted
> 
> This fails even if /tmp does not have "nodev" set (with "nodev" it would
> be expected to fail of course).
> Interestingly, it even fails if I start userns_child_exec as root,
> not sure why.
> Outside namespaces everything works as expected.
> 
> Kind regards,
> Philipp
> _______________________________________________
> Containers mailing list
> Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers