* Does overlay driver work if built in to the kernel?
@ 2022-09-21 0:30 Keyon Jie
2022-09-21 0:45 ` Keyon Jie
2022-09-21 6:50 ` Amir Goldstein
0 siblings, 2 replies; 6+ messages in thread
From: Keyon Jie @ 2022-09-21 0:30 UTC (permalink / raw)
To: miklos; +Cc: linux-unionfs, keyon.jie
Hi all,
I am new to the overlayfs, I am hitting issues to make kernel modules
work in a container environment where the Kubernetes feature really need
the overlayfs support.
I figured out to make overlay driver built-in to the VM kernel (and then
shared to the container), but looks like the Kubernetes always fail when
trying to create overlayfs mounts, with errors like 'permission denied'.
I am seeing that overlay driver is released with modular
(CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux
distributions, so I am wondering if the overlay driver work when built
in to the kernel?
Thanks,
~Keyon
^ permalink raw reply [flat|nested] 6+ messages in thread
* Does overlay driver work if built in to the kernel?
2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie
@ 2022-09-21 0:45 ` Keyon Jie
2022-09-21 6:50 ` Amir Goldstein
1 sibling, 0 replies; 6+ messages in thread
From: Keyon Jie @ 2022-09-21 0:45 UTC (permalink / raw)
To: miklos; +Cc: linux-unionfs, keyon.jie
Hi all,
Sorry for annoys in case the mail is sent twice, it looks to me it was
moderated that the previous one was sent before subscribing the mailing
list.
I am new to the overlayfs, I am hitting issues to make kernel modules
work in a container environment where the Kubernetes feature really need
the overlayfs support.
I figured out to make overlay driver built-in to the VM kernel (and then
shared to the container), but looks like the Kubernetes always fail when
trying to create overlayfs mounts, with errors like 'permission denied'.
I am seeing that overlay driver is released with modular
(CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux
distributions, so I am wondering if the overlay driver work when built
in to the kernel?
Thanks,
~Keyon
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does overlay driver work if built in to the kernel?
2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie
2022-09-21 0:45 ` Keyon Jie
@ 2022-09-21 6:50 ` Amir Goldstein
2022-09-21 14:48 ` Jie, Keyon
1 sibling, 1 reply; 6+ messages in thread
From: Amir Goldstein @ 2022-09-21 6:50 UTC (permalink / raw)
To: Keyon Jie; +Cc: Miklos Szeredi, overlayfs, keyon.jie
On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com> wrote:
>
> Hi all,
>
> I am new to the overlayfs, I am hitting issues to make kernel modules
> work in a container environment where the Kubernetes feature really need
> the overlayfs support.
>
> I figured out to make overlay driver built-in to the VM kernel (and then
> shared to the container), but looks like the Kubernetes always fail when
> trying to create overlayfs mounts, with errors like 'permission denied'.
>
Usually, you want to look at the kernel log to see the reason for failure.
That is likely because the container is "unprivileged"
meaning not using the same uid 0 as the host.
Don't know which kernel you are running, but overlayfs can be mounted
inside unprivileged container since kernel v5.11:
https://lore.kernel.org/linux-fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/
>
> I am seeing that overlay driver is released with modular
> (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux
> distributions, so I am wondering if the overlay driver work when built
> in to the kernel?
>
It can be built in or module.
That seems unrelated to your problem.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Does overlay driver work if built in to the kernel?
2022-09-21 6:50 ` Amir Goldstein
@ 2022-09-21 14:48 ` Jie, Keyon
2022-09-21 17:41 ` Amir Goldstein
0 siblings, 1 reply; 6+ messages in thread
From: Jie, Keyon @ 2022-09-21 14:48 UTC (permalink / raw)
To: Amir Goldstein, Keyon Jie; +Cc: Miklos Szeredi, overlayfs
> -----Original Message-----
> From: Amir Goldstein <amir73il@gmail.com>
> Sent: Tuesday, September 20, 2022 11:50 PM
> To: Keyon Jie <yang.jie@linux.intel.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux-
> unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com>
> Subject: Re: Does overlay driver work if built in to the kernel?
>
> On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com>
> wrote:
> >
> > Hi all,
> >
> > I am new to the overlayfs, I am hitting issues to make kernel modules
> > work in a container environment where the Kubernetes feature really
> need
> > the overlayfs support.
> >
> > I figured out to make overlay driver built-in to the VM kernel (and then
> > shared to the container), but looks like the Kubernetes always fail when
> > trying to create overlayfs mounts, with errors like 'permission denied'.
> >
>
> Usually, you want to look at the kernel log to see the reason for failure.
> That is likely because the container is "unprivileged"
> meaning not using the same uid 0 as the host.
>
> Don't know which kernel you are running, but overlayfs can be mounted
> inside unprivileged container since kernel v5.11:
>
> https://lore.kernel.org/linux-
> fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/
Thank you Amir.
I am using v5.10 kernel, so looks I can try to backport some of the patches and try it again.
I assume take the 10-commits series from Miklos should be enough?
vfs: move cap_convert_nscap() call into vfs_setxattr()
vfs: verify source area in vfs_dedupe_file_range_one()
ovl: check privs before decoding file handle
ovl: make ioctl() safe
ovl: simplify file splice
ovl: user xattr
ovl: do not fail when setting origin xattr
ovl: do not fail because of O_NOATIME
ovl: do not get metacopy for userxattr
ovl: unprivieged mounts
https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6-54aa220b4cd2@i-love.sakura.ne.jp/T/
Thanks,
~Keyon
>
> >
> > I am seeing that overlay driver is released with modular
> > (CONFIG_OVERLAY_FS=m) in most (not sure if it is all) Linux
> > distributions, so I am wondering if the overlay driver work when built
> > in to the kernel?
> >
>
> It can be built in or module.
> That seems unrelated to your problem.
>
> Thanks,
> Amir.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does overlay driver work if built in to the kernel?
2022-09-21 14:48 ` Jie, Keyon
@ 2022-09-21 17:41 ` Amir Goldstein
2022-09-22 4:16 ` Jie, Keyon
0 siblings, 1 reply; 6+ messages in thread
From: Amir Goldstein @ 2022-09-21 17:41 UTC (permalink / raw)
To: Jie, Keyon; +Cc: Keyon Jie, Miklos Szeredi, overlayfs
On Wed, Sep 21, 2022 at 5:48 PM Jie, Keyon <keyon.jie@intel.com> wrote:
>
>
> > -----Original Message-----
> > From: Amir Goldstein <amir73il@gmail.com>
> > Sent: Tuesday, September 20, 2022 11:50 PM
> > To: Keyon Jie <yang.jie@linux.intel.com>
> > Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux-
> > unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com>
> > Subject: Re: Does overlay driver work if built in to the kernel?
> >
> > On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com>
> > wrote:
> > >
> > > Hi all,
> > >
> > > I am new to the overlayfs, I am hitting issues to make kernel modules
> > > work in a container environment where the Kubernetes feature really
> > need
> > > the overlayfs support.
> > >
> > > I figured out to make overlay driver built-in to the VM kernel (and then
> > > shared to the container), but looks like the Kubernetes always fail when
> > > trying to create overlayfs mounts, with errors like 'permission denied'.
> > >
> >
> > Usually, you want to look at the kernel log to see the reason for failure.
> > That is likely because the container is "unprivileged"
> > meaning not using the same uid 0 as the host.
> >
> > Don't know which kernel you are running, but overlayfs can be mounted
> > inside unprivileged container since kernel v5.11:
> >
> > https://lore.kernel.org/linux-
> > fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/
>
> Thank you Amir.
> I am using v5.10 kernel, so looks I can try to backport some of the patches and try it again.
> I assume take the 10-commits series from Miklos should be enough?
> vfs: move cap_convert_nscap() call into vfs_setxattr()
> vfs: verify source area in vfs_dedupe_file_range_one()
> ovl: check privs before decoding file handle
> ovl: make ioctl() safe
> ovl: simplify file splice
> ovl: user xattr
> ovl: do not fail when setting origin xattr
> ovl: do not fail because of O_NOATIME
> ovl: do not get metacopy for userxattr
> ovl: unprivieged mounts
> https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6-54aa220b4cd2@i-love.sakura.ne.jp/T/
>
Not sure you can try.
There may be other bug fixes that need backporting.
It is not recommended to backport such a feature by yourself.
You would be much better off taking or build a newer LTS kernel (e.g. 5.15.y)
Thanks,
Amir.
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Does overlay driver work if built in to the kernel?
2022-09-21 17:41 ` Amir Goldstein
@ 2022-09-22 4:16 ` Jie, Keyon
0 siblings, 0 replies; 6+ messages in thread
From: Jie, Keyon @ 2022-09-22 4:16 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Keyon Jie, Miklos Szeredi, overlayfs
> -----Original Message-----
> From: Amir Goldstein <amir73il@gmail.com>
> Sent: Wednesday, September 21, 2022 10:42 AM
> To: Jie, Keyon <keyon.jie@intel.com>
> Cc: Keyon Jie <yang.jie@linux.intel.com>; Miklos Szeredi
> <miklos@szeredi.hu>; overlayfs <linux-unionfs@vger.kernel.org>
> Subject: Re: Does overlay driver work if built in to the kernel?
>
> On Wed, Sep 21, 2022 at 5:48 PM Jie, Keyon <keyon.jie@intel.com> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Amir Goldstein <amir73il@gmail.com>
> > > Sent: Tuesday, September 20, 2022 11:50 PM
> > > To: Keyon Jie <yang.jie@linux.intel.com>
> > > Cc: Miklos Szeredi <miklos@szeredi.hu>; overlayfs <linux-
> > > unionfs@vger.kernel.org>; Jie, Keyon <keyon.jie@intel.com>
> > > Subject: Re: Does overlay driver work if built in to the kernel?
> > >
> > > On Wed, Sep 21, 2022 at 3:32 AM Keyon Jie <yang.jie@linux.intel.com>
> > > wrote:
> > > >
> > > > Hi all,
> > > >
> > > > I am new to the overlayfs, I am hitting issues to make kernel modules
> > > > work in a container environment where the Kubernetes feature really
> > > need
> > > > the overlayfs support.
> > > >
> > > > I figured out to make overlay driver built-in to the VM kernel (and
> then
> > > > shared to the container), but looks like the Kubernetes always fail
> when
> > > > trying to create overlayfs mounts, with errors like 'permission denied'.
> > > >
> > >
> > > Usually, you want to look at the kernel log to see the reason for failure.
> > > That is likely because the container is "unprivileged"
> > > meaning not using the same uid 0 as the host.
> > >
> > > Don't know which kernel you are running, but overlayfs can be mounted
> > > inside unprivileged container since kernel v5.11:
> > >
> > > https://lore.kernel.org/linux-
> > > fsdevel/20201217142025.GB1236412@miu.piliscsaba.redhat.com/
> >
> > Thank you Amir.
> > I am using v5.10 kernel, so looks I can try to backport some of the patches
> and try it again.
> > I assume take the 10-commits series from Miklos should be enough?
> > vfs: move cap_convert_nscap() call into vfs_setxattr()
> > vfs: verify source area in vfs_dedupe_file_range_one()
> > ovl: check privs before decoding file handle
> > ovl: make ioctl() safe
> > ovl: simplify file splice
> > ovl: user xattr
> > ovl: do not fail when setting origin xattr
> > ovl: do not fail because of O_NOATIME
> > ovl: do not get metacopy for userxattr
> > ovl: unprivieged mounts
> > https://lore.kernel.org/linux-fsdevel/1725e01a-4d4d-aecb-bad6-
> 54aa220b4cd2@i-love.sakura.ne.jp/T/
> >
>
> Not sure you can try.
> There may be other bug fixes that need backporting.
> It is not recommended to backport such a feature by yourself.
> You would be much better off taking or build a newer LTS kernel (e.g. 5.15.y)
Thank you so much Amir. Just tried and 5.15 works well for me!
Thanks,
~Keyon
>
> Thanks,
> Amir.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-22 4:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-21 0:30 Does overlay driver work if built in to the kernel? Keyon Jie
2022-09-21 0:45 ` Keyon Jie
2022-09-21 6:50 ` Amir Goldstein
2022-09-21 14:48 ` Jie, Keyon
2022-09-21 17:41 ` Amir Goldstein
2022-09-22 4:16 ` Jie, Keyon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.