Previously, fuse-overlayfs always used user.fuseoverlayfs.override_stat
for the upper layer while honoring user.containers.override_stat for
lower layers so that it can consume a layer created by
containers/storage.
It turned out that containers/storage also needs to get the overriding
extended attribute set by fuse-overlayfs and to set one for the upper
layer to make the root directory of the upper layer inherit the mode
of a lower layer. Adding code to get and to set
user.fuseoverlayfs.override_stat to containers/storage is a bit ugly.
The underlying problem is that fuse-overlayfs changes what name to use
ad hoc. Fix it by always preferring user.containers.override_stat, which
containers/storage honors, over user.fuseoverlayfs.overlayfs, which is
specific to fuse-overlayfs.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
introduce a new xattr "user.fuseoverlayfs.override_stat" that permit
to override the reported uid/gid/mode for lower layers.
It enables sharing storage among different users.
Since it is not possible to use "user.*" xattrs for symlinks, provide
also a privileged variant "security.fuseoverlayfs.override_stat", so
the root user can create the xattr for symlinks as well.
A script "fix-mode.py" is provided for converting an existing
layer/storage to the new model. It is a destructive operation as
every file is converted to mode 0755, thus it is not usable anymore
with native overlay, or older versions of fuse-overlayfs.
Example with Podman:
Rootless:
Modify /.config/containers/storage.conf and add under storage.options:
additionalimagestores = ["/var/lib/shared-storage"]
Assuming an empty local storage for the user:
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE ReadOnly
docker.io/library/fedora latest a368cbcfa678 5 weeks ago 189 MB true
and the files show the original mode and owner:
$ podman run --read-only --rm -ti docker.io/library/fedora ls -l /
lrwxrwxrwx. 1 root root 7 Jan 28 2020 bin -> usr/bin
dr-xr-xr-x. 2 root root 6 Jan 28 2020 boot
drwxr-xr-x. 5 root root 360 Aug 15 13:26 dev
drwxr-xr-x. 41 root root 4096 Jul 9 06:48 etc
drwxr-xr-x. 2 root root 6 Jan 28 2020 home
lrwxrwxrwx. 1 root root 7 Jan 28 2020 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jan 28 2020 lib64 -> usr/lib64
drwx------. 2 root root 6 Jul 9 06:48 lost+found
drwxr-xr-x. 2 root root 6 Jan 28 2020 media
drwxr-xr-x. 2 root root 6 Jan 28 2020 mnt
drwxr-xr-x. 2 root root 6 Jan 28 2020 opt
dr-xr-xr-x. 436 nobody nobody 0 Aug 15 13:26 proc
dr-xr-x---. 2 root root 196 Jul 9 06:48 root
drwxrwxrwt. 3 root root 80 Aug 15 13:26 run
lrwxrwxrwx. 1 root root 8 Jan 28 2020 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Jan 28 2020 srv
dr-xr-xr-x. 13 nobody nobody 0 Aug 5 21:38 sys
drwxrwxrwt. 2 root root 60 Aug 15 13:26 tmp
drwxr-xr-x. 12 root root 144 Jul 9 06:48 usr
drwxr-xr-x. 18 root root 235 Jul 9 06:48 var
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
