From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Christian Brauner <brauner@kernel.org>
Cc: "Vivek Goyal" <vgoyal@redhat.com>,
"Amir Goldstein" <amir73il@gmail.com>,
"Miklos Szeredi" <mszeredi@redhat.com>,
linux-unionfs@vger.kernel.org, "Christoph Hellwig" <hch@lst.de>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Rodrigo Campos Catelin" <rodrigoca@microsoft.com>,
"Seth Forshee" <sforshee@digitalocean.com>,
"Luca Bocassi" <luca.boccassi@microsoft.com>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Stéphane Graber" <stgraber@ubuntu.com>
Subject: Re: [PATCH 00/18] overlay: support idmapped layers
Date: Thu, 31 Mar 2022 11:55:31 +0200 [thread overview]
Message-ID: <871qyixx7w.fsf@redhat.com> (raw)
In-Reply-To: <20220331084704.l5wkwm6ammcm2fcs@wittgenstein> (Christian Brauner's message of "Thu, 31 Mar 2022 10:47:04 +0200")
Christian Brauner <brauner@kernel.org> writes:
> On Wed, Mar 30, 2022 at 04:58:03PM -0400, Vivek Goyal wrote:
>> On Tue, Mar 29, 2022 at 12:35:07PM +0200, Christian Brauner wrote:
>> > From: "Christian Brauner (Microsoft)" <brauner@kernel.org>
>> >
>> > Hey,
>> >
>> > This adds support for mounting overlay on top of idmapped layers.
>> >
>> > I have to start by saying a massive thank you to Amir! He did not just
>> > answer my constant overlay questions but also provided quite a few
>> > patches himself in this series in addition to reviews, comments and a
>> > lot of suggestions. Thank you!
>> >
>> > There have been a lot of requests to unblock this. For just a few select
>> > examples see [3], [4], and [5]. I've worked closely with various
>> > communities among them containerd, Kubernetes, Podman, LXD, runC, crun,
>> > and systemd (For the curious please see the various pull-request and
>> > issues below.) a lot of them already support idmapped mounts since they
>> > are enabled for btrfs, ext4, and xfs (and f2fs and fat fwiw). In
>> > additon, a few colleagues at Microsoft and from Red Hat work on a
>> > Kubernetes Enhancement Proposals (KEP) that also relies on overlayfs
>> > supporting idmapped layers, see [12].
>> >
>> > Overlayfs on top of idmapped layers will be used in various ways:
>> >
>> > * Container managers use overlayfs to efficiently share layers between
>> > containers. However, this only works for privileged containers.
>> > Layers cannot be shared if both privileged and unprivileged containers
>> > are used. Layers can also not be shared if non-overlapping idmappings
>> > are used for unprivileged containers. Layers cannot be shared because
>> > of the conflicting ownership requirements between the containers.
>>
>> Hi Christian,
>>
>> Thank you for this work. This is awesome.
>
> Thanks for saying that! Appreciate it.
>
>>
>> Wanted to test it. I was wondering how to test it. Some simple
>> instructions will help.
>
> Of course. There are various ways:
>
> 1. Giuseppe has already put up support the containers/storage go library:
> https://github.com/containers/storage/pull/1180
> and he's been running workloads with that branch. If you're familiar
> with that tooling you can just use that.
Vivek, if you vendor the containers/storage branch into Podman you can run something like:
# podman run --uidmap 0:2000:40000 --gidmap 0:8000:50000 --rm fedora sh -c 'grep . /proc/self/?id_map; ls -l /'
/proc/self/gid_map: 0 8000 50000
/proc/self/uid_map: 0 2000 40000
total 16
lrwxrwxrwx. 1 root root 7 Jul 21 2021 bin -> usr/bin
dr-xr-xr-x. 1 root root 0 Jul 21 2021 boot
drwxr-xr-x. 5 root root 340 Mar 31 09:46 dev
drwxr-xr-x. 1 root root 1682 Mar 31 09:45 etc
drwxr-xr-x. 1 root root 0 Jul 21 2021 home
lrwxrwxrwx. 1 root root 7 Jul 21 2021 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jul 21 2021 lib64 -> usr/lib64
drwx------. 1 root root 0 Feb 21 06:47 lost+found
drwxr-xr-x. 1 root root 0 Jul 21 2021 media
drwxr-xr-x. 1 root root 0 Jul 21 2021 mnt
drwxr-xr-x. 1 root root 0 Jul 21 2021 opt
dr-xr-xr-x. 262 nobody nobody 0 Mar 31 09:46 proc
dr-xr-x---. 1 root root 206 Mar 31 09:45 root
drwxr-xr-x. 1 root root 40 Mar 31 09:46 run
lrwxrwxrwx. 1 root root 8 Jul 21 2021 sbin -> usr/sbin
drwxr-xr-x. 1 root root 0 Jul 21 2021 srv
dr-xr-xr-x. 12 nobody nobody 0 Mar 31 09:42 sys
drwxrwxrwt. 1 root root 0 Feb 21 06:47 tmp
drwxr-xr-x. 1 root root 100 Feb 21 06:47 usr
drwxr-xr-x. 1 root root 154 Feb 21 06:47 var
you'll notice that it is using idmapped mounts because the container
starts immediately when you change the mappings; without these kernel
patches Podman needs to chown the image first.
Regards,
Giuseppe
prev parent reply other threads:[~2022-03-31 9:56 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-29 10:35 [PATCH 00/18] overlay: support idmapped layers Christian Brauner
2022-03-29 10:35 ` [PATCH 01/18] fs: add two trivial lookup helpers Christian Brauner
2022-03-29 10:35 ` [PATCH 02/18] exportfs: support idmapped mounts Christian Brauner
2022-03-29 10:35 ` [PATCH 03/18] ovl: use wrappers to all vfs_*xattr() calls Christian Brauner
2022-03-29 11:18 ` Miklos Szeredi
2022-03-29 10:35 ` [PATCH 04/18] ovl: pass ofs to creation operations Christian Brauner
2022-03-29 10:35 ` [PATCH 05/18] ovl: handle idmappings in " Christian Brauner
2022-03-29 11:22 ` Miklos Szeredi
2022-03-29 10:35 ` [PATCH 06/18] ovl: pass ofs to setattr operations Christian Brauner
2022-03-29 10:35 ` [PATCH 07/18] ovl: pass layer mnt to ovl_open_realfile() Christian Brauner
2022-03-29 10:35 ` [PATCH 08/18] ovl: use ovl_do_notify_change() wrapper Christian Brauner
2022-03-29 11:56 ` Miklos Szeredi
2022-03-29 12:36 ` Christian Brauner
2022-03-29 10:35 ` [PATCH 09/18] ovl: use ovl_lookup_upper() wrapper Christian Brauner
2022-03-29 10:35 ` [PATCH 10/18] ovl: use ovl_path_getxattr() wrapper Christian Brauner
2022-03-29 10:35 ` [PATCH 11/18] ovl: handle idmappings for layer fileattrs Christian Brauner
2022-03-29 10:35 ` [PATCH 12/18] ovl: handle idmappings for layer lookup Christian Brauner
2022-03-29 10:35 ` [PATCH 13/18] ovl: store lower path in ovl_inode Christian Brauner
2022-03-29 10:35 ` [PATCH 14/18] ovl: use ovl_copy_{real,upper}attr() wrappers Christian Brauner
2022-03-29 10:35 ` [PATCH 15/18] ovl: handle idmappings in ovl_permission() Christian Brauner
2022-03-29 10:35 ` [PATCH 16/18] ovl: handle idmappings in layer open helpers Christian Brauner
2022-03-29 10:35 ` [PATCH 17/18] ovl: handle idmappings in ovl_xattr_{g,s}et() Christian Brauner
2022-03-29 10:35 ` [PATCH 18/18] ovl: support idmapped layers Christian Brauner
2022-03-29 10:35 ` [PATCH] common: allow to run all tests on idmapped mounts Christian Brauner
2022-03-29 12:25 ` [PATCH 00/18] overlay: support idmapped layers Miklos Szeredi
2022-03-29 15:02 ` Amir Goldstein
2022-03-30 20:58 ` Vivek Goyal
2022-03-31 8:47 ` Christian Brauner
2022-03-31 9:55 ` Giuseppe Scrivano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qyixx7w.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=hch@lst.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=luca.boccassi@microsoft.com \
--cc=mszeredi@redhat.com \
--cc=mzxreary@0pointer.de \
--cc=rodrigoca@microsoft.com \
--cc=sforshee@digitalocean.com \
--cc=stgraber@ubuntu.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.