Allow setting mountopt for vfs driver

legobeat commented 2 weeks ago

Feature request description

Rootless podman-in-podman, or sudo in rootless, are not working in rootless mode on vfs due to the root filesystem mount being mounted with nosuid set:

$ podman info
ERRO[0000] running `/usr/bin/newuidmap 123 0 1000 1 1 1 999 1000 100000 65536 66536 524288 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

$ sudo ls
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

# ls -la /usr/bin/newuidmap
-rwxr-xr-x 1 root root 43320 May 23 00:00 /usr/bin/newuidmap

# ls -lan /usr/bin/sudo
---s--x--x 1 0 0 211136 Feb  8 00:00 /usr/bin/sudo

# mount | grep ' / '
/dev/xvdb on / type ext4 (rw,nosuid,nodev,relatime,discard)

# mount / -oremount,suid
mount: /: permission denied.
       dmesg(1) may have more information after failed mount system call.

Trying to set storage.options.vfs.mountopt = "suid" is not recognized, as expected from reading docs:

WARN[0000] Failed to decode the keys ["storage.options.vfs.mountopt"] from "/home/user/.config/containers/storage.conf"

Suggest potential solution

Exposing mountopt for vfs driver just like for overlay would allow unlocking by setting appropriate mountopt.

Have you considered any alternatives?

Using overlay instead of vfs unfortunately does not work as it results in incorrect ownership in rootless: https://github.com/containers/podman/issues/22810#issuecomment-2162129301

Additional context

Is there some inherent reason why users should be able to set mount_opt on overlay driver but not on vfs...? There are many reasons why users may want to override the defaults (as the discussion in https://github.com/containers/podman/pull/3263 makes perfectly clear, a "one size fits all" isn't actually a reality).

rhatdan commented 2 days ago

VFS file systems are not mounted.

containers / storage