On 7/28/20 11:32, Stefan Hajnoczi wrote: > On Tue, Jul 28, 2020 at 12:00:20PM +0200, Roman Mohr wrote: >> On Tue, Jul 28, 2020 at 3:07 AM misono.tomohiro@fujitsu.com < >> misono.tomohiro@fujitsu.com> wrote: >> >>>> Subject: [PATCH v2 3/3] virtiofsd: probe unshare(CLONE_FS) and print an >>> error >>>> An assertion failure is raised during request processing if >>>> unshare(CLONE_FS) fails. Implement a probe at startup so the problem can >>>> be detected right away. >>>> >>>> Unfortunately Docker/Moby does not include unshare in the seccomp.json >>>> list unless CAP_SYS_ADMIN is given. Other seccomp.json lists always >>>> include unshare (e.g. podman is unaffected): >>>> >>> https://raw.githubusercontent.com/seccomp/containers-golang/master/seccomp.json >>>> Use "docker run --security-opt seccomp=path/to/seccomp.json ..." if the >>>> default seccomp.json is missing unshare. >>> Hi, sorry for a bit late. >>> >>> unshare() was added to fix xattr problem: >>> >>> https://github.com/qemu/qemu/commit/bdfd66788349acc43cd3f1298718ad491663cfcc# >>> In theory we don't need to call unshare if xattr is disabled, but it is >>> hard to get to know >>> if xattr is enabled or disabled in fv_queue_worker(), right? >>> >>> >> In kubevirt we want to run virtiofsd in containers. We would already not >> have xattr support for e.g. overlayfs in the VM after this patch series (an >> acceptable con at least for us right now). >> If we can get rid of the unshare (and potentially of needing root) that >> would be great. We always assume that everything which we run in containers >> should work for cri-o and docker. > Root is required to access files with any uid/gid. > > Dave Gilbert is working on xattr support without CAP_SYS_ADMIN. He may > be able to find a way to drop unshare (at least in containers). > >> "Just" pointing docker to a different seccomp.json file is something which >> k8s users/admin in many cases can't do. > There is a Moby PR to change the default seccomp.json file here but it's > unclear if it will be merged: > https://github.com/moby/moby/pull/41244 > > Stefan Why not try Podman?