RFC: erofs-utils:mkfs: add unprivileged container use-case support

RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Naoto Yamaguchi]

Hi all.

I investigate each read only filesystem for linux at linux container
use-case.  The erofs is most interesting filesystem.
A each files of guest root filesystem need to shift uid/gid in case of
unprivileged container to use uid/gid namespace.  I work adding
uid/gid offsetting support to erofs-utils mkfs tool now.
Will be this patch accept in upstream community?

Thanks,
Naoto Yamaguchi,
a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Gao Xiang]

Hi Naoto,

On Wed, Aug 10, 2022 at 02:59:42AM +0900, Naoto Yamaguchi wrote:
> Hi all.
> 
> I investigate each read only filesystem for linux at linux container
> use-case.  The erofs is most interesting filesystem.

First of all, many thanks for your interest! Yes, now EROFS is actively
developing for container use cases as well, and we're happy to
accept/maintain any useful features about this area!

> A each files of guest root filesystem need to shift uid/gid in case of
> unprivileged container to use uid/gid namespace.  I work adding
> uid/gid offsetting support to erofs-utils mkfs tool now.
> Will be this patch accept in upstream community?

Could you give more details about this? EROFS already supports idmapped
mount for container use cases since 5.19, so I guess uid/gid offsets
can be set by this?

I'm still somewhat new to container world, it would be helpful to drop
more hints of this ;)

Thanks,
Gao Xiang

> 
> Thanks,
> Naoto Yamaguchi,
> a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Gao Xiang]

On Wed, Aug 10, 2022 at 02:14:09AM +0800, Gao Xiang wrote:
> Hi Naoto,
> 
> On Wed, Aug 10, 2022 at 02:59:42AM +0900, Naoto Yamaguchi wrote:
> > Hi all.
> > 
> > I investigate each read only filesystem for linux at linux container
> > use-case.  The erofs is most interesting filesystem.
> 
> First of all, many thanks for your interest! Yes, now EROFS is actively
> developing for container use cases as well, and we're happy to
> accept/maintain any useful features about this area!
> 
> > A each files of guest root filesystem need to shift uid/gid in case of
> > unprivileged container to use uid/gid namespace.  I work adding
> > uid/gid offsetting support to erofs-utils mkfs tool now.
> > Will be this patch accept in upstream community?
> 
> Could you give more details about this? EROFS already supports idmapped
> mount for container use cases since 5.19, so I guess uid/gid offsets
> can be set by this?

Oh, I guess I've got this.  Yeah, I'm fine to introduce something like
uid or gid offsets as two long options if needed. ;)

Thanks,
Gao Xiang

> 
> I'm still somewhat new to container world, it would be helpful to drop
> more hints of this ;)
> 
> Thanks,
> Gao Xiang
> 
> > 
> > Thanks,
> > Naoto Yamaguchi,
> > a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Naoto Yamaguchi]

Hi Gao

Thank you for your response.

> Could you give more details about this? EROFS already supports idmapped
> mount for container use cases since 5.19, so I guess uid/gid offsets
> can be set by this?

It's good news for me.  I  investigated LTS version 5.10 and 5.15.  I
didn’t know this new feature.

My work detail, it's easy to share experimental patch in my github.
https://github.com/AGLExport/erofs-utils/commit/d9080b80152c2f9065d98a7a2ac36912c74657ac

That will use combination with lxc idmap option.

ex:
Image creation
mkafs.erofs --uid-offset=100000 --gid-offset=100000 .....

Lxc config
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536


Thanks,
Naoto Yamaguchi,
a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Gao Xiang]

On Wed, Aug 10, 2022 at 03:37:59AM +0900, Naoto Yamaguchi wrote:
> Hi Gao
> 
> Thank you for your response.
> 
> > Could you give more details about this? EROFS already supports idmapped
> > mount for container use cases since 5.19, so I guess uid/gid offsets
> > can be set by this?
> 
> It's good news for me.  I  investigated LTS version 5.10 and 5.15.  I
> didn’t know this new feature.
> 
> My work detail, it's easy to share experimental patch in my github.
> https://github.com/AGLExport/erofs-utils/commit/d9080b80152c2f9065d98a7a2ac36912c74657ac

The patch itself looks good to me (some minor, should we use signed
integers instead? I'm not sure if some use cases need to shift down
instead.. Also need to add some words to mkfs manpage).

Feel free to submit patch, thanks for contribution in advance!

Thanks,
Gao Xiang

> 
> That will use combination with lxc idmap option.
> 
> ex:
> Image creation
> mkafs.erofs --uid-offset=100000 --gid-offset=100000 .....
> 
> Lxc config
> lxc.idmap = u 0 100000 65536
> lxc.idmap = g 0 100000 65536
> 
> 
> Thanks,
> Naoto Yamaguchi,
> a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Naoto Yamaguchi]

Hi Gao

I created patch for submit,  but it couldn't send using git
send-email.   Google updated security, it blocked smtp based send
email by git maybe....

Can I submit using github pull request to
https://github.com/hsiangkao/erofs-utils ?

Thanks,
Naoto Yamaguchi,
a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Gao Xiang]

Hi Naoto,

On Fri, Aug 12, 2022 at 08:04:40AM +0900, Naoto Yamaguchi wrote:
> Hi Gao
> 
> I created patch for submit,  but it couldn't send using git
> send-email.   Google updated security, it blocked smtp based send
> email by git maybe....

I'm not a gmail heavy user, but I remember it has an `app password`?
Also you could use other email clients like mutt or thunderbird in plain
text (as long as such email clients don't break the patch.)

If none of these work, you could also submit a pull request with your
signed-off-by and I will cherry-pick this, yet I think most
linux-kernel related projects don't directly use github honestly.

Thanks,
Gao Xiang

> 
> Can I submit using github pull request to
> https://github.com/hsiangkao/erofs-utils ?
> 
> Thanks,
> Naoto Yamaguchi,
> a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Yue Hu]

Hi Naoto,

On Fri, 12 Aug 2022 08:04:40 +0900
Naoto Yamaguchi <wata2ki@gmail.com> wrote:

> Hi Gao
> 
> I created patch for submit,  but it couldn't send using git
> send-email.   Google updated security, it blocked smtp based send
> email by git maybe....

As Xiang said, check below about 'app password' if you want:

https://fmsinc.com/MicrosoftAccess/email/smtp/app-password/index.htm

Thanks.

> 
> Can I submit using github pull request to
> https://github.com/hsiangkao/erofs-utils ?
> 
> Thanks,
> Naoto Yamaguchi,
> a member of Automotive Grade Linux Instrument Cluster EG.

Re: RFC: erofs-utils:mkfs: add unprivileged container use-case support

[Naoto Yamaguchi]

Thank you Gao and Yue

I success to submit patch using app password.
Very thank you for your support.

Thanks,
Naoto Yamaguchi,
a member of Automotive Grade Linux Instrument Cluster EG.

2022年8月12日(金) 10:47 Yue Hu <zbestahu@gmail.com>:
>
> Hi Naoto,
>
> On Fri, 12 Aug 2022 08:04:40 +0900
> Naoto Yamaguchi <wata2ki@gmail.com> wrote:
>
> > Hi Gao
> >
> > I created patch for submit,  but it couldn't send using git
> > send-email.   Google updated security, it blocked smtp based send
> > email by git maybe....
>
> As Xiang said, check below about 'app password' if you want:
>
> https://fmsinc.com/MicrosoftAccess/email/smtp/app-password/index.htm
>
> Thanks.
>
> >
> > Can I submit using github pull request to
> > https://github.com/hsiangkao/erofs-utils ?
> >
> > Thanks,
> > Naoto Yamaguchi,
> > a member of Automotive Grade Linux Instrument Cluster EG.
>