livingsilver94
commented
1 year ago Unfortunately to mount a rootless OverlayFS you need to set the userxattr option, which is incompatible with metacopy=on. chowning is very slow without it, as it'd copy the whole file.
With regards to the way Podman works, I created a Podman container based on the Serpent OS rootfs with this command: podman create --userns=keep-id --rootfs ~/Personal/SerpentOS/SOSROOT/ /bin/sleep infinity.
If I then enter into that container, the rootfs IS NOT owned by root, but by my user. This demonstrates the rootfs ownership isn't set by Podman itself, but by the way the OCI image was constructed. This explains why Podman only chowns new files in the container (e.g. /etc/hosts), but not the whole rootfs.
The only two viable solutions I can think of are:
- Mount the overlayed rootfs read only. This way, the owner is still incorrectly set, but nobody can mangle it since the mount point is read-only. It's an unorthodox solution, but it would work (likely).
- Have a rootfs directory somewhere which is completely managed by
moss-container. This way, wechownit only once and reuse it every time we need to firemoss-container. That's the way Podman works, after all.- CAVEAT: if we want to run multiple simultaneous
moss-containerinstances, we need multiple rootfs directories. - CAVEAT: the rootfs will be owned by a different UID/GID than $USER's. The user will need to use
sudoto delete the rootfs if in need, or we may add amoss-container deletecommand. Again, this is the way Podman works.
- CAVEAT: if we want to run multiple simultaneous
Third proposal: just use Podman?
Introduction
moss-container is a tool to run process(es) in a containerized fashion. Historically it created a container by mounting file systems and bind-mounting directories, plus
mknodding. All of these operations required CAP_SYS_ADMIN (root privileges).It is ideal to build packages with regular privileges. Enter rootless containers. Similar to podman, we want to leverage Linux namespaces to mount file systems and directories in a confined namespace so that we isolate the build environment without cluttering/damaging the host system accidentally, plus we ensure a reproducible environment.
The problem
The work-in-progress https://github.com/serpent-os/moss-container/tree/userns branch almost does the above, barring that the internal rootfs is not owned by the internal root, but by the internal regular user (for various reasons not worth expanding). This is undesirable because we don't want to give users (or build scripts) the illusion that they can edit the entire rootfs at their leisure.
Setting correct internal permissions for directories coming from the host system isn't an easy task. We can't just
chown -R internalUID:internalGID, because the UID and GID will be propagated to the host files as well! We must chown only to the eyes of the container.idmapped mounts aren't viable because they require being root in the host, defeating the very purpose of rootless containers.
The solution
Make a copy of the rootfs somewhere and
chownit. As simple as that.Well, that's the gist of it, although both recursively copying and recursively
chowning are slow operations.To mitigate that, we can explore (and pick one of) the following possible optimizations:
metacopy=onoption. This way, an entire file is not copied when editing metadata, which is exactly the case ofchown. Only metadata is copied.OverlayFS documentation.
Possible implementation
Make moss-container have a
--workdirflag. This will be the OverlayFS hierarchy parent. Here we will have:$WORKDIR/upper$WORKDIR/work$WORKDIR/mergedThis
--workdirflag will be passed byboulder, resulting in a moss-container call like:moss-container -d /my/rootfs/path --workdir $XDG_CACHE_HOME/boulder/packagename --bind-rw /some/extra/dir. The build process will happen in$WORKDIR/merged.