Open hinshun opened 4 years ago
I've been looking into this along with @hinshun and @tonistiigi on Slack, here's what I found:
nodemon.json.3163301993
is showing up inside the container because of some strangeness with overlay.
getdents
on it directly to the underlying dir. /upperdir/root/.config/configstore/
only appears in one lowerdir, so when you ls
on it, the whiteout device shows up as a dirent
.ENOENT
errors when trying to make any syscalls involving nodemon.json.3163301993
's path.trusted.overlay.origin
on a directory and, if so, mark that the directory as needing to be checked for whiteouts.trusted.overlay.origin
on the parent directory of a whiteout device under upperdir
, as can be seen in this example: https://gist.github.com/sipsma/3399d4a30f2709019cd1d53309765878However, that fix obviously isn't working in hinshun's case. Not sure, but I am wondering if fuse-overlayfs
is not setting the expected xattr. When I pulled down hinshun's image I could reproduce the issue within a docker container and saw that the /upperdir/root/.config/configstore/
dir didn't have trusted.overlay.origin
set, but instead had trusted.overlay.opaque
:
root@bincastle-dev:/home/sipsma# xattr /var/lib/docker/overlay2/l/X263JCQLFIOQYTTIOXHADDPJV5/upperdir/root/.config/configstore/
trusted.overlay.opaque
When I changed it to have trusted.overlay.origin
set (xattr -w trusted.overlay.origin "" /var/lib/docker/overlay2/l/X263JCQLFIOQYTTIOXHADDPJV5/upperdir/root/.config/configstore
), I was no longer able to reproduce the issue and the whiteout didn't appear inside the docker container.
I'm not sure yet why trusted.overlay.opaque
is being set but trusted.overlay.origin
isn't; it may be worth asking the fuse-overlayfs
devs if that's expected behavior.
Okay, looked some more, there's actually yet another layer to this issue (pun intended).
@hinshun pointed out this code in fuse-overlayfs
where opaque
gets set, which made me realize that fuse-overlayfs was probably not actually able to set xattrs at all because it was using a real overlay mount as the upperdir of the fuse overlay (files/dirs under overlay mounts don't support xattrs).
Based on that code, that means fuse-overlayfs actually most likely failed to set any xattrs at all (both opaque
and origin
. The reason you can still see opaque
as an xattr when you pull down the docker image is most likely due to the fact that fuse-overlayfs fallsback to creating a .wh..wh..opq
file in place of setting an opaque
xattr, which containerd exporters know about and handle correctly: https://github.com/containerd/containerd/blob/0ab7f03feecaa9fc51b63dbb634e74d04d68176f/archive/tar_opts_linux.go#L40-L44
So, in summary, I think the issue basically comes down to the fact that origin
should have been set on /upperdir/root/.config/configstore/
but couldn't because the upperdir of the fuse mount didn't support xattrs.
So, in summary, I think the issue basically comes down to the fact that origin should have been set on /upperdir/root/.config/configstore/ but couldn't because the upperdir of the fuse mount didn't support xattrs.
So should the containerd exporter be detecting the .wh..wh..opq
files and translating that to xattrs on the directory?
So should the containerd exporter be detecting the .wh..wh..opq files and translating that to xattrs on the directory?
Yes, and I think it does, but my understanding is that .wh..wh..opq
only handles setting the opaque
, not origin
. As far as I can see there isn't an equivalent for origin
xattrs for some reason, not sure why.
Reproduction steps
hinshun/whiteout-repro
was created using HLB (which is valid LLB): https://gist.github.com/hinshun/5488224d10090c841a47935a5404419e However, the problem only occurs after you pushed it and thenFROM <image>
after clearing the BuildKit cache.Inside the
buildkitd
containerMounts
The directory containing the whiteout for overlay (a character device)
Cannot interact with device:
Running
ls
from merged directory of overlay: