* Does overlay driver work if built in to the kernel? @ 2022-09-21 0:30 Keyon Jie 2022-09-21 0:45 ` Keyon Jie 2022-09-21 6:50 ` Amir Goldstein 0 siblings, 2 replies; 6+ messages in thread From: Keyon Jie @ 2022-09-21 0:30 UTC (permalink / raw) To: miklos; +Cc: linux-unionfs, keyon.jie Hi all, I am new to the overlayfs, I am hitting issues to make kernel modules work in a container environment where the Kubernetes feature really need the overlayfs support. I figured out to make overlay driver built-in to the VM kernel (and then shared to the container), but looks like the Kubernetes always fail when trying to create overlayfs mounts, with errors like 'permission denied'. I am seeing that overlay driver is released with modular (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux distributions, so I am wondering if the overlay driver work when built in to the kernel? Thanks, ~Keyon ^ permalink raw reply [flat|nested] 6+ messages in thread
* Does overlay driver work if built in to the kernel? 2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie @ 2022-09-21 0:45 ` Keyon Jie 2022-09-21 6:50 ` Amir Goldstein 1 sibling, 0 replies; 6+ messages in thread From: Keyon Jie @ 2022-09-21 0:45 UTC (permalink / raw) To: miklos; +Cc: linux-unionfs, keyon.jie Hi all, Sorry for annoys in case the mail is sent twice, it looks to me it was moderated that the previous one was sent before subscribing the mailing list. I am new to the overlayfs, I am hitting issues to make kernel modules work in a container environment where the Kubernetes feature really need the overlayfs support. I figured out to make overlay driver built-in to the VM kernel (and then shared to the container), but looks like the Kubernetes always fail when trying to create overlayfs mounts, with errors like 'permission denied'. I am seeing that overlay driver is released with modular (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux distributions, so I am wondering if the overlay driver work when built in to the kernel? Thanks, ~Keyon ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does overlay driver work if built in to the kernel? 2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie 2022-09-21 0:45 ` Keyon Jie @ 2022-09-21 6:50 ` Amir Goldstein 2022-09-21 14:48 ` Jie, Keyon 1 sibling, 1 reply; 6+ messages in thread From: Amir Goldstein @ 2022-09-21 6:50 UTC (permalink / raw) To: Keyon Jie; +Cc: Miklos Szeredi, overlayfs, keyon.jie On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com> wrote: > > Hi all, > > I am new to the overlayfs, I am hitting issues to make kernel modules > work in a container environment where the Kubernetes feature really need > the overlayfs support. > > I figured out to make overlay driver built-in to the VM kernel (and then > shared to the container), but looks like the Kubernetes always fail when > trying to create overlayfs mounts, with errors like 'permission denied'. > Usually, you want to look at the kernel log to see the reason for failure. That is likely because the container is "unprivileged" meaning not using the same uid 0 as the host. Don't know which kernel you are running, but overlayfs can be mounted inside unprivileged container since kernel v5.11: https://lore.kernel.org/linux-fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/ > > I am seeing that overlay driver is released with modular > (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux > distributions, so I am wondering if the overlay driver work when built > in to the kernel? > It can be built in or module. That seems unrelated to your problem. Thanks, Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Does overlay driver work if built in to the kernel? 2022-09-21 6:50 ` Amir Goldstein @ 2022-09-21 14:48 ` Jie, Keyon 2022-09-21 17:41 ` Amir Goldstein 0 siblings, 1 reply; 6+ messages in thread From: Jie, Keyon @ 2022-09-21 14:48 UTC (permalink / raw) To: Amir Goldstein, Keyon Jie; +Cc: Miklos Szeredi, overlayfs > -----Original Message----- > From: Amir Goldstein <amir73il@gmail.com> > Sent: Tuesday, September 20, 2022 11:50 PM > To: Keyon Jie <yang.jie@linux.intel.com> > Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux- > unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com> > Subject: Re: Does overlay driver work if built in to the kernel? > > On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com> > wrote: > > > > Hi all, > > > > I am new to the overlayfs, I am hitting issues to make kernel modules > > work in a container environment where the Kubernetes feature really > need > > the overlayfs support. > > > > I figured out to make overlay driver built-in to the VM kernel (and then > > shared to the container), but looks like the Kubernetes always fail when > > trying to create overlayfs mounts, with errors like 'permission denied'. > > > > Usually, you want to look at the kernel log to see the reason for failure. > That is likely because the container is "unprivileged" > meaning not using the same uid 0 as the host. > > Don't know which kernel you are running, but overlayfs can be mounted > inside unprivileged container since kernel v5.11: > > https://lore.kernel.org/linux- > fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/ Thank you Amir. I am using v5.10 kernel, so looks I can try to backport some of the patches and try it again. I assume take the 10-commits series from Miklos should be enough? vfs: move cap_convert_nscap() call into vfs_setxattr() vfs: verify source area in vfs_dedupe_file_range_one() ovl: check privs before decoding file handle ovl: make ioctl() safe ovl: simplify file splice ovl: user xattr ovl: do not fail when setting origin xattr ovl: do not fail because of O_NOATIME ovl: do not get metacopy for userxattr ovl: unprivieged mounts https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6-54aa220b4cd2@i-love.sakura.ne.jp/T/ Thanks, ~Keyon > > > > > I am seeing that overlay driver is released with modular > > (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux > > distributions, so I am wondering if the overlay driver work when built > > in to the kernel? > > > > It can be built in or module. > That seems unrelated to your problem. > > Thanks, > Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does overlay driver work if built in to the kernel? 2022-09-21 14:48 ` Jie, Keyon @ 2022-09-21 17:41 ` Amir Goldstein 2022-09-22 4:16 ` Jie, Keyon 0 siblings, 1 reply; 6+ messages in thread From: Amir Goldstein @ 2022-09-21 17:41 UTC (permalink / raw) To: Jie, Keyon; +Cc: Keyon Jie, Miklos Szeredi, overlayfs On Wed, Sep 21, 2022 at 5:48 PM Jie, Keyon <keyon.jie@intel.com> wrote: > > > > -----Original Message----- > > From: Amir Goldstein <amir73il@gmail.com> > > Sent: Tuesday, September 20, 2022 11:50 PM > > To: Keyon Jie <yang.jie@linux.intel.com> > > Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux- > > unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com> > > Subject: Re: Does overlay driver work if built in to the kernel? > > > > On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com> > > wrote: > > > > > > Hi all, > > > > > > I am new to the overlayfs, I am hitting issues to make kernel modules > > > work in a container environment where the Kubernetes feature really > > need > > > the overlayfs support. > > > > > > I figured out to make overlay driver built-in to the VM kernel (and then > > > shared to the container), but looks like the Kubernetes always fail when > > > trying to create overlayfs mounts, with errors like 'permission denied'. > > > > > > > Usually, you want to look at the kernel log to see the reason for failure. > > That is likely because the container is "unprivileged" > > meaning not using the same uid 0 as the host. > > > > Don't know which kernel you are running, but overlayfs can be mounted > > inside unprivileged container since kernel v5.11: > > > > https://lore.kernel.org/linux- > > fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/ > > Thank you Amir. > I am using v5.10 kernel, so looks I can try to backport some of the patches and try it again. > I assume take the 10-commits series from Miklos should be enough? > vfs: move cap_convert_nscap() call into vfs_setxattr() > vfs: verify source area in vfs_dedupe_file_range_one() > ovl: check privs before decoding file handle > ovl: make ioctl() safe > ovl: simplify file splice > ovl: user xattr > ovl: do not fail when setting origin xattr > ovl: do not fail because of O_NOATIME > ovl: do not get metacopy for userxattr > ovl: unprivieged mounts > https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6-54aa220b4cd2@i-love.sakura.ne.jp/T/ > Not sure you can try. There may be other bug fixes that need backporting. It is not recommended to backport such a feature by yourself. You would be much better off taking or build a newer LTS kernel (e.g. 5.15.y) Thanks, Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Does overlay driver work if built in to the kernel? 2022-09-21 17:41 ` Amir Goldstein @ 2022-09-22 4:16 ` Jie, Keyon 0 siblings, 0 replies; 6+ messages in thread From: Jie, Keyon @ 2022-09-22 4:16 UTC (permalink / raw) To: Amir Goldstein; +Cc: Keyon Jie, Miklos Szeredi, overlayfs > -----Original Message----- > From: Amir Goldstein <amir73il@gmail.com> > Sent: Wednesday, September 21, 2022 10:42 AM > To: Jie, Keyon <keyon.jie@intel.com> > Cc: Keyon Jie <yang.jie@linux.intel.com>; Miklos Szeredi > <miklos@szeredi.hu>; overlayfs <linux-unionfs@vger.kernel.org> > Subject: Re: Does overlay driver work if built in to the kernel? > > On Wed, Sep 21, 2022 at 5:48 PM Jie, Keyon <keyon.jie@intel.com> wrote: > > > > > > > -----Original Message----- > > > From: Amir Goldstein <amir73il@gmail.com> > > > Sent: Tuesday, September 20, 2022 11:50 PM > > > To: Keyon Jie <yang.jie@linux.intel.com> > > > Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux- > > > unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com> > > > Subject: Re: Does overlay driver work if built in to the kernel? > > > > > > On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com> > > > wrote: > > > > > > > > Hi all, > > > > > > > > I am new to the overlayfs, I am hitting issues to make kernel modules > > > > work in a container environment where the Kubernetes feature really > > > need > > > > the overlayfs support. > > > > > > > > I figured out to make overlay driver built-in to the VM kernel (and > then > > > > shared to the container), but looks like the Kubernetes always fail > when > > > > trying to create overlayfs mounts, with errors like 'permission denied'. > > > > > > > > > > Usually, you want to look at the kernel log to see the reason for failure. > > > That is likely because the container is "unprivileged" > > > meaning not using the same uid 0 as the host. > > > > > > Don't know which kernel you are running, but overlayfs can be mounted > > > inside unprivileged container since kernel v5.11: > > > > > > https://lore.kernel.org/linux- > > > fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/ > > > > Thank you Amir. > > I am using v5.10 kernel, so looks I can try to backport some of the patches > and try it again. > > I assume take the 10-commits series from Miklos should be enough? > > vfs: move cap_convert_nscap() call into vfs_setxattr() > > vfs: verify source area in vfs_dedupe_file_range_one() > > ovl: check privs before decoding file handle > > ovl: make ioctl() safe > > ovl: simplify file splice > > ovl: user xattr > > ovl: do not fail when setting origin xattr > > ovl: do not fail because of O_NOATIME > > ovl: do not get metacopy for userxattr > > ovl: unprivieged mounts > > https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6- > 54aa220b4cd2@i-love.sakura.ne.jp/T/ > > > > Not sure you can try. > There may be other bug fixes that need backporting. > It is not recommended to backport such a feature by yourself. > You would be much better off taking or build a newer LTS kernel (e.g. 5.15.y) Thank you so much Amir. Just tried and 5.15 works well for me! Thanks, ~Keyon > > Thanks, > Amir. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-22 4:16 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie 2022-09-21 0:45 ` Keyon Jie 2022-09-21 6:50 ` Amir Goldstein 2022-09-21 14:48 ` Jie, Keyon 2022-09-21 17:41 ` Amir Goldstein 2022-09-22 4:16 ` Jie, Keyon
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.