introduce a new xattr "user.fuseoverlayfs.override_stat" that permit
to override the reported uid/gid/mode for lower layers.
It enables sharing storage among different users.
Since it is not possible to use "user.*" xattrs for symlinks, provide
also a privileged variant "security.fuseoverlayfs.override_stat", so
the root user can create the xattr for symlinks as well.
A script "fix-mode.py" is provided for converting an existing
layer/storage to the new model. It is a destructive operation as
every file is converted to mode 0755, thus it is not usable anymore
with native overlay, or older versions of fuse-overlayfs.
Example with Podman:
Rootless:
Modify /.config/containers/storage.conf and add under storage.options:
additionalimagestores = ["/var/lib/shared-storage"]
Assuming an empty local storage for the user:
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE ReadOnly
docker.io/library/fedora latest a368cbcfa678 5 weeks ago 189 MB true
and the files show the original mode and owner:
$ podman run --read-only --rm -ti docker.io/library/fedora ls -l /
lrwxrwxrwx. 1 root root 7 Jan 28 2020 bin -> usr/bin
dr-xr-xr-x. 2 root root 6 Jan 28 2020 boot
drwxr-xr-x. 5 root root 360 Aug 15 13:26 dev
drwxr-xr-x. 41 root root 4096 Jul 9 06:48 etc
drwxr-xr-x. 2 root root 6 Jan 28 2020 home
lrwxrwxrwx. 1 root root 7 Jan 28 2020 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jan 28 2020 lib64 -> usr/lib64
drwx------. 2 root root 6 Jul 9 06:48 lost+found
drwxr-xr-x. 2 root root 6 Jan 28 2020 media
drwxr-xr-x. 2 root root 6 Jan 28 2020 mnt
drwxr-xr-x. 2 root root 6 Jan 28 2020 opt
dr-xr-xr-x. 436 nobody nobody 0 Aug 15 13:26 proc
dr-xr-x---. 2 root root 196 Jul 9 06:48 root
drwxrwxrwt. 3 root root 80 Aug 15 13:26 run
lrwxrwxrwx. 1 root root 8 Jan 28 2020 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Jan 28 2020 srv
dr-xr-xr-x. 13 nobody nobody 0 Aug 5 21:38 sys
drwxrwxrwt. 2 root root 60 Aug 15 13:26 tmp
drwxr-xr-x. 12 root root 144 Jul 9 06:48 usr
drwxr-xr-x. 18 root root 235 Jul 9 06:48 var
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
we were mistakenly using the overflow GID also for UIDs lookups. Not
a big issue as they usually have the same value.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the destination already exists as it could not be properly cleaned
up, attempt to atomically swap the two directories and free the old
one.
Closes: https://github.com/containers/fuse-overlayfs/issues/213
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the copyup function returns the error code set in ret. Make sure ret
has the correct return code if set_fd_origin fails.
Closes: https://github.com/containers/fuse-overlayfs/issues/211
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
