From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Christian Brauner <brauner@kernel.org>
Cc: "Vivek Goyal" <vgoyal@redhat.com>,
"Amir Goldstein" <amir73il@gmail.com>,
"Miklos Szeredi" <mszeredi@redhat.com>,
linux-unionfs@vger.kernel.org, "Christoph Hellwig" <hch@lst.de>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Rodrigo Campos Catelin" <rodrigoca@microsoft.com>,
"Seth Forshee" <sforshee@digitalocean.com>,
"Luca Bocassi" <luca.boccassi@microsoft.com>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Stéphane Graber" <stgraber@ubuntu.com>
Subject: Re: [PATCH 00/18] overlay: support idmapped layers
Date: Thu, 31 Mar 2022 11:55:31 +0200 [thread overview]
Message-ID: <871qyixx7w.fsf@redhat.com> (raw)
In-Reply-To: <20220331084704.l5wkwm6ammcm2fcs@wittgenstein> (Christian Brauner's message of "Thu, 31 Mar 2022 10:47:04 +0200")
Christian Brauner <brauner@kernel.org> writes:
> On Wed, Mar 30, 2022 at 04:58:03PM -0400, Vivek Goyal wrote:
>> On Tue, Mar 29, 2022 at 12:35:07PM +0200, Christian Brauner wrote:
>> > From: "Christian Brauner (Microsoft)" <brauner@kernel.org>
>> >
>> > Hey,
>> >
>> > This adds support for mounting overlay on top of idmapped layers.
>> >
>> > I have to start by saying a massive thank you to Amir! He did not just
>> > answer my constant overlay questions but also provided quite a few
>> > patches himself in this series in addition to reviews, comments and a
>> > lot of suggestions. Thank you!
>> >
>> > There have been a lot of requests to unblock this. For just a few select
>> > examples see [3], [4], and [5]. I've worked closely with various
>> > communities among them containerd, Kubernetes, Podman, LXD, runC, crun,
>> > and systemd (For the curious please see the various pull-request and
>> > issues below.) a lot of them already support idmapped mounts since they
>> > are enabled for btrfs, ext4, and xfs (and f2fs and fat fwiw). In
>> > additon, a few colleagues at Microsoft and from Red Hat work on a
>> > Kubernetes Enhancement Proposals (KEP) that also relies on overlayfs
>> > supporting idmapped layers, see [12].
>> >
>> > Overlayfs on top of idmapped layers will be used in various ways:
>> >
>> > * Container managers use overlayfs to efficiently share layers between
>> > containers. However, this only works for privileged containers.
>> > Layers cannot be shared if both privileged and unprivileged containers
>> > are used. Layers can also not be shared if non-overlapping idmappings
>> > are used for unprivileged containers. Layers cannot be shared because
>> > of the conflicting ownership requirements between the containers.
>>
>> Hi Christian,
>>
>> Thank you for this work. This is awesome.
>
> Thanks for saying that! Appreciate it.
>
>>
>> Wanted to test it. I was wondering how to test it. Some simple
>> instructions will help.
>
> Of course. There are various ways:
>
> 1. Giuseppe has already put up support the containers/storage go library:
> https://github.com/containers/storage/pull/1180
> and he's been running workloads with that branch. If you're familiar
> with that tooling you can just use that.
Vivek, if you vendor the containers/storage branch into Podman you can run something like:
# podman run --uidmap 0:2000:40000 --gidmap 0:8000:50000 --rm fedora sh -c 'grep . /proc/self/?id_map; ls -l /'
/proc/self/gid_map: 0 8000 50000
/proc/self/uid_map: 0 2000 40000
total 16
lrwxrwxrwx. 1 root root 7 Jul 21 2021 bin -> usr/bin
dr-xr-xr-x. 1 root root 0 Jul 21 2021 boot
drwxr-xr-x. 5 root root 340 Mar 31 09:46 dev
drwxr-xr-x. 1 root root 1682 Mar 31 09:45 etc
drwxr-xr-x. 1 root root 0 Jul 21 2021 home
lrwxrwxrwx. 1 root root 7 Jul 21 2021 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jul 21 2021 lib64 -> usr/lib64
drwx------. 1 root root 0 Feb 21 06:47 lost+found
drwxr-xr-x. 1 root root 0 Jul 21 2021 media
drwxr-xr-x. 1 root root 0 Jul 21 2021 mnt
drwxr-xr-x. 1 root root 0 Jul 21 2021 opt
dr-xr-xr-x. 262 nobody nobody 0 Mar 31 09:46 proc
dr-xr-x---. 1 root root 206 Mar 31 09:45 root
drwxr-xr-x. 1 root root 40 Mar 31 09:46 run
lrwxrwxrwx. 1 root root 8 Jul 21 2021 sbin -> usr/sbin
drwxr-xr-x. 1 root root 0 Jul 21 2021 srv
dr-xr-xr-x. 12 nobody nobody 0 Mar 31 09:42 sys
drwxrwxrwt. 1 root root 0 Feb 21 06:47 tmp
drwxr-xr-x. 1 root root 100 Feb 21 06:47 usr
drwxr-xr-x. 1 root root 154 Feb 21 06:47 var
you'll notice that it is using idmapped mounts because the container
starts immediately when you change the mappings; without these kernel
patches Podman needs to chown the image first.
Regards,
Giuseppe
prev parent reply other threads:[~2022-03-31 9:56 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-29 10:35 [PATCH 00/18] overlay: support idmapped layers Christian Brauner
2022-03-29 10:35 ` [PATCH 01/18] fs: add two trivial lookup helpers Christian Brauner
2022-03-29 10:35 ` [PATCH 02/18] exportfs: support idmapped mounts Christian Brauner
2022-03-29 10:35 ` [PATCH 03/18] ovl: use wrappers to all vfs_*xattr() calls Christian Brauner
2022-03-29 11:18 ` Miklos Szeredi
2022-03-29 10:35 ` [PATCH 04/18] ovl: pass ofs to creation operations Christian Brauner
2022-03-29 10:35 ` [PATCH 05/18] ovl: handle idmappings in " Christian Brauner
2022-03-29 11:22 ` Miklos Szeredi
2022-03-29 10:35 ` [PATCH 06/18] ovl: pass ofs to setattr operations Christian Brauner
2022-03-29 10:35 ` [PATCH 07/18] ovl: pass layer mnt to ovl_open_realfile() Christian Brauner
2022-03-29 10:35 ` [PATCH 08/18] ovl: use ovl_do_notify_change() wrapper Christian Brauner
2022-03-29 11:56 ` Miklos Szeredi
2022-03-29 12:36 ` Christian Brauner
2022-03-29 10:35 ` [PATCH 09/18] ovl: use ovl_lookup_upper() wrapper Christian Brauner
2022-03-29 10:35 ` [PATCH 10/18] ovl: use ovl_path_getxattr() wrapper Christian Brauner
2022-03-29 10:35 ` [PATCH 11/18] ovl: handle idmappings for layer fileattrs Christian Brauner
2022-03-29 10:35 ` [PATCH 12/18] ovl: handle idmappings for layer lookup Christian Brauner
2022-03-29 10:35 ` [PATCH 13/18] ovl: store lower path in ovl_inode Christian Brauner
2022-03-29 10:35 ` [PATCH 14/18] ovl: use ovl_copy_{real,upper}attr() wrappers Christian Brauner
2022-03-29 10:35 ` [PATCH 15/18] ovl: handle idmappings in ovl_permission() Christian Brauner
2022-03-29 10:35 ` [PATCH 16/18] ovl: handle idmappings in layer open helpers Christian Brauner
2022-03-29 10:35 ` [PATCH 17/18] ovl: handle idmappings in ovl_xattr_{g,s}et() Christian Brauner
2022-03-29 10:35 ` [PATCH 18/18] ovl: support idmapped layers Christian Brauner
2022-03-29 12:25 ` [PATCH 00/18] overlay: " Miklos Szeredi
2022-03-29 15:02 ` Amir Goldstein
2022-03-30 20:58 ` Vivek Goyal
2022-03-31 8:47 ` Christian Brauner
2022-03-31 9:55 ` Giuseppe Scrivano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qyixx7w.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=hch@lst.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=luca.boccassi@microsoft.com \
--cc=mszeredi@redhat.com \
--cc=mzxreary@0pointer.de \
--cc=rodrigoca@microsoft.com \
--cc=sforshee@digitalocean.com \
--cc=stgraber@ubuntu.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).