overlay: support native rootless mounts #816
Conversation
|
I am already in touch with Vivek and Miklos about the kernel issue |
giuseppe
force-pushed
the
native-overlay-rootless
branch
from
0413643 to
7c28a83
Compare
|
What happens if the kernel does not support overlay, do we still fall back to using fuse-overlayfs if it is installed? |
tested on Fedora Rawhide with kernel 5.11.0-0.rc6.20210204git61556703b610.144.fc34.x86_64 There is currently an issue when context= is specified and the mount fails with EACCES. It is being addressed in the kernel upstream. Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
native-overlay-rootless
branch
from
7c28a83 to
6cb8896
Compare
we don't have that check in place here, we do it in containers/common. I've dropped the workaround for the mount label since there is a patch for the kernel upstream |
| @@ -1023,6 +1024,11 @@ func (d *Driver) get(id string, disableShifting bool, options graphdriver.MountO | |||
| } else if d.options.mountOptions != "" { | |||
| opts = fmt.Sprintf("%s,%s", d.options.mountOptions, opts) | |||
| } | |||
|
|
|||
| if d.options.mountProgram == "" && unshare.IsRootless() { | |||
| opts = fmt.Sprintf("%s,userxattr", opts) | |||
There was a problem hiding this comment.
Shouldn't this be set only on kernel >= 5.11?
Ubuntu and Debian have been supporting rootless overlayfs and do not want userxattr opt here (for kernel < 5.11).
There was a problem hiding this comment.
we don't support the Ubuntu and Debian custom patch for rootless overlay. The main reason is that on old kernels it is not allowed to create whiteout files without an overlay mount and that would complicate how image pulls are performed
There was a problem hiding this comment.
We also don't want kernel version checks, since these features can/will be back ported to RHEL8 and Centos Stream.
tested on Fedora Rawhide with kernel
5.11.0-0.rc6.20210204git61556703b610.144.fc34.x86_64
There is currently an issue when context= is specified and the mount
fails with EACCES. We can drop it once it works in the kernel.
Signed-off-by: Giuseppe Scrivano [email protected]