On Tue, Sep 17, 2020 at 2:57 AM Shengjing Zhu wrote:
>
> On Thu, Sep 17, 2020 at 2:52 AM Nicolas Schier <nicolas@fjasle.eu> wrote:
> >
> > > I think I just mess up when debugging. It seems it never works.
> > >
> > > Maybe we should revert permit_mounts_in_userns? as it doesn't seem to
> > > work. Buster is also affected.
> >
> > Please, don't be too fast when thinking about a revert. Several of my
> > colleagues (Debian users) cling to the feature since they need it for
> > using the company's LXC containers; if permit_mounts_in_userns is
> > removed again, they might be forced to switch to non-Debian kernels or
> > to live-patch the kernel with fragile stuff like [1], cp. #913880.
>
> I mean if you can't even remove a directory with files, it's too broken to use.
> So your colleagues find the userns overlay works?
> Or you mean we should take Ubuntu's patch to fix the issue?
sorry for the long delay. My colleagues are using unpriviledged LXC
with overlay fs for building purposes only, thus, read-only access is
sufficient and works. (But yes, the incomplete write-support leads to
annoyance.)
Currently, there is a patch on linux-unionfs that allows using user
xattrs for overlay fs meta data [1]. If the related patchset [2] is
going to be merged, the Debian patch will become obsolete; otherwise we
could think about picking up the patch from [1].
As far as I have seen, the Ubuntu patch allows unpriviledged users to
modify 'trusted.overlay.*' xattrs, which probably has security
implications. ("Probably" as just had a superficial look at it.)
I would prefer to keep a watch on [2] and dicuss further, if it has
been merged or rejected.
Kind regards,
Nicolas
[1]: [PATCH v2 06/10] ovl: user xattr
https://lore.kernel.org/linux-unionfs/20201207163255.564116-7-mszeredi@redhat.com/
[2]: https://lore.kernel.org/linux-unionfs/CAJfpegsiuf8ib5cvVrr=zHZ+Xu7BMMTT2eYapsEUdmPcRBUiwQ@mail.gmail.com/T/#t
Attachment:
signature.asc
Description: PGP signature