TheCloud/fuse-overlayfs
1
0
Fork 0
mirror of https://github.com/containers/fuse-overlayfs.git synced 2025-08-03 09:55:57 -04:00
Code Issues Packages Projects Releases Wiki Activity
769 Commits 1 Branch 43 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Akihiko Odaki 20161f96d7 main: Isolate security xattrs for STAT_OVERRIDE_CONTAINERS 
The major use case of stat override is to enable rootless containers
on network filesystems, and they also lack security xattr support in
non-root user namespaces. Trying to set security xattrs on them result
in ENOTSUP and break things.

It makes little sense to share security xattrs with the underlying
filesystems when overriding stat in the first place. Linux's NFS server
exposes security xattrs only when the user explicitly claims the
security consistencies between the server and clients, and hide them
otherwise. Following this precedent, we should isolate security xattrs
since we know the security policy enforced by fuse-overlayfs is already
distinct from the underlying filesystem when overriding owners and file
mode.

Mark security xattrs inaccessible with STAT_OVERRIDE_CONTAINERS to
prefix all access to them with XATTR_CONTAINERS_OVERRIDE_PREFIX.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
2024-06-17 22:50:14 +09:00
.github/workflows
tests: Update to Ubuntu 22.04
2024-06-17 21:35:39 +09:00
contrib
Prefer user.containers.override_stat over user.fuseoverlayfs.
2024-06-17 22:50:14 +09:00
lib
lib: update hash library
2023-04-11 18:24:22 +02:00
m4
gnulib: sync from upstream
2019-07-22 13:07:00 +02:00
rpm
fuse-overlays: change license to GPLv2+
2023-04-11 18:25:46 +02:00
tests
main: Isolate security xattrs for STAT_OVERRIDE_CONTAINERS
2024-06-17 22:50:14 +09:00
.clang-format
.clang-format: fix duplicated mapping key
2024-02-20 22:16:16 -08:00
.dockerignore
utils.c: fix file_exists_at musl compatibility.
2020-08-26 02:22:53 +02:00
.gitignore
Add .gitignore
2022-02-18 10:59:37 +08:00
.lgtm.yml
.lgtm.yml: new file
2019-07-29 01:04:41 +02:00
autogen.sh
build: add stuff for building an rpm
2018-07-04 20:25:20 +02:00
CODE-OF-CONDUCT.md
Add Code of Conduct
2020-02-08 17:24:56 -05:00
configure.ac
configure.ac: switch to -dev
2023-05-11 11:05:00 +02:00
Containerfile.alpine
build: Fix libfuse version
2024-06-17 18:01:59 +09:00
Containerfile.cross
CI: release: enable reproducible builds
2023-09-14 05:48:00 +09:00
Containerfile.static.fedora
build: Fix libfuse version
2024-06-17 18:01:59 +09:00
Containerfile.static.ubuntu
build: rename Dockerfile to Containerfile
2020-10-06 19:22:49 +02:00
COPYING
fuse-overlays: change license to GPLv2+
2023-04-11 18:25:46 +02:00
direct.c
Prefer user.containers.override_stat over user.fuseoverlayfs.
2024-06-17 22:50:14 +09:00
fuse_overlayfs_error.h
code: add clang-format
2023-10-02 15:12:42 +02:00
fuse-overlayfs.1
main: add a mount flag to disable ACLs
2021-09-15 12:22:58 +02:00
fuse-overlayfs.1.md
main: add a mount flag to disable ACLs
2021-09-15 12:22:58 +02:00
fuse-overlayfs.h
code: add clang-format
2023-10-02 15:12:42 +02:00
main.c
main: Isolate security xattrs for STAT_OVERRIDE_CONTAINERS
2024-06-17 22:50:14 +09:00
Makefile.am
code: add clang-format
2023-10-02 15:12:42 +02:00
NEWS
NEWS: tag 1.13
2023-08-29 16:07:22 +02:00
plugin-manager.c
code: add clang-format
2023-10-02 15:12:42 +02:00
plugin-manager.h
code: add clang-format
2023-10-02 15:12:42 +02:00
plugin.h
code: add clang-format
2023-10-02 15:12:42 +02:00
README.md
Fix minor grammatical error in README.md
2022-01-13 16:41:19 -05:00
SECURITY.md
Add Security Policy
2020-05-09 15:14:50 -04:00
utils.c
utils: Always suppress ENODATA
2024-06-17 21:35:51 +09:00
utils.h
code: add clang-format
2023-10-02 15:12:42 +02:00

README.md

fuse-overlayfs

An implementation of overlay+shiftfs in FUSE for rootless containers.

Usage:

$ fuse-overlayfs -o lowerdir=lowerdir/a:lowerdir/b,upperdir=up,workdir=workdir merged

Specify a different UID/GID mapping:

$ fuse-overlayfs -o uidmapping=0:10:100:100:10000:2000,gidmapping=0:10:100:100:10000:2000,lowerdir=lowerdir/a:lowerdir/b,upperdir=up,workdir=workdir merged

Requirements:

If you are not using the static build as explained in the next chapter, your system needs libfuse > v3.2.1.

  • On Fedora: dnf install fuse3-devel
  • On Ubuntu > v19.04: apt install libfuse3-dev

Also, please note that, when using fuse-overlayfs from a user namespace (for example, when using rootless podman) a Linux Kernel > v4.18.0 is required.

Static Build:

This project provides a convenient way to automatically perform a static build using a container. The result is a self-contained binary without dependencies, that can be copied across hosts.

  1. Install buildah as explained here;

  2. Both the build and deploy host require the special device /dev/fuse; there are a few ways to obtain it:

  • install fuse2 or fuse3 using the package manager of your choice (dnf, apt, pacman, etc): the install script will usually create the device automatically; or
  • manually create the device with the command mknod /dev/fuse -m 0666 c 10 229 (see this code)

  1. Clone this repository, and switch to the top-level folder containing the file "Containerfile.static.ubuntu";

  2. Launch the build with the command (note the single dot . at the end):

buildah bud -v $PWD:/build/fuse-overlayfs -t fuse-overlayfs -f ./Containerfile.static.ubuntu .
  1. Copy the resulting binary to your host:
sudo cp fuse-overlayfs /usr/bin/
Description
FUSE implementation for overlayfs
containersfuseoverlayrootless-containers
Readme 1.9 MiB
Languages
C 61.4%
M4 33.3%
Shell 2.2%
Makefile 2.1%
Roff 0.7%
Other 0.3%