New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fuse-overlayfs not working inside container #220
Comments
It seems strange |
The container is running with SECCOMP_MODE_FILTER grep -i seccomp /proc/self/status
Seccomp: 2 When I run the grep outside container I get 0, $ grep -i seccomp /proc/self/status
Seccomp: 0 I'm still searching for a way to see the filtered syscalls. Not sure how to get those filters. google isn't helping |
what happens if you use |
Still the same issue, container commandline, systemd-nspawn --boot -M container0 -D /home/mohan/Virt/containers/container0/ --capability=all --resolv-conf=off --timezone=off --link-journal=no --network-bridge=bridge0 --console=passive --system-call-filter=openat2 --bind /dev/fuse fuse-overlayfs commandline inside container, I'm running fuse-overlayfs as normal user. Not as root. $ fuse-overlayfs -o debug,lowerdir=fo/lower/,upperdir=fo/upper/,workdir=fo/ fo/root/
uid=unchanged
uid=unchanged
upperdir=/home/mohan/Downloads/fo/upper
workdir=fo/
lowerdir=fo/lower/
mountpoint=fo/root/
plugins=<none>
FUSE library version: 3.9.2
unique: 2, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.31
flags=0x03fffffb
max_readahead=0x00020000
INIT: 7.31
flags=0x0041f069
max_readahead=0x00020000
max_write=0x00100000
max_background=0
congestion_threshold=0
time_gran=1
unique: 2, success, outsize: 80
unique: 4, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 57
ovl_getattr(ino=1)
unique: 4, success, outsize: 120
unique: 6, opcode: LOOKUP (1), nodeid: 1, insize: 45, pid: 59
ovl_lookup(parent=1, name=test)
unique: 6, success, outsize: 144
unique: 8, opcode: CREATE (35), nodeid: 1, insize: 61, pid: 59
ovl_create(parent=1, name=test)
unique: 8, error: -1 (Operation not permitted), outsize: 16 Version, $ fuse-overlayfs --version
fuse-overlayfs: version 1.1.0
FUSE library version 3.9.2
using FUSE kernel interface version 7.31
fusermount3 version: 3.9.2 Host,
|
I am quite sure it depends on the seccomp blocking the syscall. openat2 should not return Is there a way to disable seccomp with systemd-nspawn ? |
It seems to be an issue with https://lists.freedesktop.org/archives/systemd-devel/2020-June/044755.html I think this is not the issue with fuse-overlayfs. Closing this issue. |
I'm using systemd-nspawn container, when I try fuse-overlayfs inside my container, it didn't work
steps to reproduce,
from inside container0, as normal user,
It seems if we disable openat2(), it works properly
I'm not exactly sure, but I suspect RESOLVE_IN_ROOT. Errno from syscall_openat2 is EPERM.
The text was updated successfully, but these errors were encountered: