Support --overlay in --oci mode (bare image) (ro)

[dtrudg]

In native mode, a bare image file can be used as the source for --overlay. The image file can be:

• In extfs format, in which case the overlay is read-write by default, read-only if requested.
• In squashfs format, in which case the overlay is read-only.

The extfs case is documented at: https://docs.sylabs.io/guides/latest/user-guide/persistent_overlays.html#filesystem-image-overlay

The squashfs case is not adequately documented at present, but sees limited use.

To accomplish image overlay, the image files are first mounted onto a session directory using kernel mounts. After this, an overlay mount is used to overlay onto the container rootfs.

In --oci mode we want to avoid privilege escalation from a non-root user, so we cannot perform kernel mounts of squashfs and extfs image files. However, FUSE solutions are available for squashfs and extfs:

• squashfuse - https://github.com/vasi/squashfuse
• fuse2fs - https://man7.org/linux/man-pages/man1/fuse2fs.1.html

In --oci mode, implement functionality that when a squashfs/extfs image file is presented to the --overlay option:

• Will mount it to a staging directory, using squashfuse or fuse2fs.
• Will overlay the mounted filesystem onto the container rootfs.
• Allows r/w for extfs images, unless :ro is supplied as an option in the --overlay string.
• Cleanly unmounts the overlay and underlying FUSE filesystems when the container exits.

At this stage we will assume that we are using a kernel new enough to support unprivileged overlays without fuse-overlayfs (which we will need to integrate later).

[dtrudg]

Note that any use of additional external binaries (e.g. fuse2fs) should go via the existing FindBin that we have at https://github.com/sylabs/singularity/blob/main/internal/pkg/util/bin/bin.go

We do this to keep some sort of track of all the things we call out to, in one place.