kernel: enable idmapped mounts on overlayfs for sysbox#37
Open
kernel: enable idmapped mounts on overlayfs for sysbox#37
Conversation
Upstream overlayfs is missing the FS_ALLOW_IDMAP flag on ovl_fs_type, which causes mount_setattr(MOUNT_ATTR_IDMAP) to return -EINVAL on overlay mounts. This prevents sysbox from applying transparent UID shifting to the container rootfs, resulting in files from image layers appearing as nobody:nogroup inside the container. Add FS_ALLOW_IDMAP to the overlayfs file_system_type flags. This patch has been submitted upstream (https://lkml.org/lkml/2025/8/15/1218) but not yet merged.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FS_ALLOW_IDMAPflag to overlayfsovl_fs_typein the kernel, enablingmount_setattr(MOUNT_ATTR_IDMAP)on overlay mountsmount_setattr()call silently fails withEINVAL, causing image layer files to appear asnobody:nogroupinside containersRoot cause
Upstream Linux (including 6.9 and 6.17) has never set
FS_ALLOW_IDMAPon overlayfs. A patch was submitted to LKML in Aug 2025 but has not been merged yet. Sysbox detects "Overlayfs on ID-mapped mounts supported: yes" (by testing a different operation — creating overlay with ID-mapped layers) but at runtime tries to ID-map the existing overlay mount, which requiresFS_ALLOW_IDMAP.Test plan
mount_setattr(MOUNT_ATTR_IDMAP)succeeds on overlay mounts with the patched kernelnobody:nogroup) for image layer files