Am I missing a trick somewhere? lxc-usernsexec and squashfs

To: debian-user@lists.debian.org
Subject: Am I missing a trick somewhere? lxc-usernsexec and squashfs
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Sat, 6 Apr 2024 18:14:28 +0100 (BST)
Message-id: <[🔎] alpine.DEB.2.21.2404061739140.20695@dirac.home.woodall.me.uk>

Hi,

I use lxc-usernsexec to simulate root (and other users) for a non-root
user.

lxc-usernsexec -m b:0:100000:65536

That then chroots into an overlayfs mounted using fuse.

The lowerdir is a mounted squashfs, the upperdir is a regular directory.

squashfuse rootimg.sqfs lower
fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=work mount

This is all working nicely, and much faster than extracting a tarfile to
generate the lowerdir which is what I used to do.

But I have to jump through hoops to generate the lower sqfs.

If I generate it while running under lxc so outside it looks like root
owned files have owner 100000, to the generating process running under
lxc they have owner root(0). When using tar it automatically did the
necessary translations when extracting the archive back to the correct
lxc uid.

If I build the sqfs while inside lxc the sqfs gets the uid 0 for root
owned files. The files in mount/root, for example are then not readable when
it's mounted later.

If I try to build it from outside lxc then I don't have permission to
read mount/root at all so the files don't make it into the sqfs.

I'm doing the following to ensure that the sqfs files have the correct
ownership when I come to mount it:

for (( i = 0 ; i < 65536 ; i++ )); do echo "+$i +$(( i + 100000 ))"; done >mapfile
tar -C root --numeric-owner --owner-map=mapfile --group-map=mapfile --one-file-system -cf - . | tar2sqfs -q root.sqfs

This maps the 0-65535 uids that are seen inside lxc back to the
100000-165535 uids that are used outside of lxc so that the sqfs is an
accurate image of the original filesystem metadata.

overlayfs has an option to map uids which the man page suggests exists
for exactly this reason, but I cannot work out how to use it. I feel as
though I need the option on squashfuse.

It doesn't really matter to me, but one issue with my solution is that
the sqfs images aren't usable by a different user who has a different
uidmap because the uids in the sqfs are tied to the uidmap.

Is there a way to do what I'm trying to do without using tar (or
equivalent) to change the uids in the sqfs? I don't want to squash
everything down to a single user.

-o uidmapping/-o gidmapping for fuse-overlayfs aren't mentioned in the
-h help, only in the manpage, so perhaps there's an option to squashfuse
that isn't mentioned in either that I'm missing? Or perhaps there's a
way to get overlayfs to work if the root.sqfs has uid 0-65535.

Note that the whole point of all of this is so that nothing has to be
done as root. I use this for testing installs, building packages etc and
a rogue rm -fr /, for example, can't take out the whole system. So
solutions that involve doing steps as the real root user aren't
suitable.

Tim.

Reply to:

Follow-Ups:
- Re: Am I missing a trick somewhere? lxc-usernsexec and squashfs
  - From: Tim Woodall <debianuser@woodall.me.uk>

Prev by Date: Re: Dependencies between components.
Next by Date: Re: What use can i give to linux?
Previous by thread: Re: Dependencies between components.
Next by thread: Re: Am I missing a trick somewhere? lxc-usernsexec and squashfs
Index(es):
- Date
- Thread