Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting mountopt for vfs driver #1972

Open
legobeat opened this issue Jun 13, 2024 · 4 comments
Open

Allow setting mountopt for vfs driver #1972

legobeat opened this issue Jun 13, 2024 · 4 comments
Labels
kind/feature

Comments

@legobeat
Copy link

legobeat commented Jun 13, 2024
edited
Loading

Feature request description

Rootless podman-in-podman, or sudo in rootless, are not working in rootless mode on vfs due to the root filesystem mount being mounted with nosuid set:

$ podman info
ERRO[0000] running `/usr/bin/newuidmap 123 0 1000 1 1 1 999 1000 100000 65536 66536 524288 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

$ sudo ls
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

# ls -la /usr/bin/newuidmap
-rwxr-xr-x 1 root root 43320 May 23 00:00 /usr/bin/newuidmap

# ls -lan /usr/bin/sudo
---s--x--x 1 0 0 211136 Feb  8 00:00 /usr/bin/sudo

# mount | grep ' / '
/dev/xvdb on / type ext4 (rw,nosuid,nodev,relatime,discard)

# mount / -oremount,suid
mount: /: permission denied.
       dmesg(1) may have more information after failed mount system call.

Trying to set storage.options.vfs.mountopt = "suid" is not recognized, as expected from reading docs:

WARN[0000] Failed to decode the keys ["storage.options.vfs.mountopt"] from "/home/user/.config/containers/storage.conf"

Suggest potential solution

Exposing mountopt for vfs driver just like for overlay would allow unlocking by setting appropriate mountopt.

Have you considered any alternatives?

Using overlay instead of vfs unfortunately does not work as it results in incorrect ownership in rootless: containers/podman#22810 (comment)

Additional context

Related
@legobeat legobeat changed the title Allow setting mount_opts for vfs driver Allow setting mountopt for vfs driver Jun 13, 2024
@giuseppe giuseppe transferred this issue from containers/podman Jun 17, 2024
@rhatdan
Copy link
Member

rhatdan commented Jun 24, 2024

I don't see how this is our issue. Other then saying don't do that.

@legobeat
Copy link
Author

legobeat commented Jun 25, 2024
edited
Loading

I don't see how this is our issue. Other then saying don't do that.

Is there some inherent reason why users should be able to set mount_opt on overlay driver but not on vfs...? There are many reasons why users may want to override the defaults (as the discussion in containers/podman#3263 makes perfectly clear, a "one size fits all" isn't actually a reality).

@rhatdan
Copy link
Member

rhatdan commented Jun 26, 2024

VFS file systems are not mounted.

@giuseppe
Copy link
Member

giuseppe commented Jul 2, 2024

it should be possible to specify nosuid,noexec,nodev for a bind mount, so in theory we could "mount" a vfs on itself using a bind mount and specify these options. We could do it only for the cases where it is needed, as in this case mount_opt != "".

# mkdir /tmp/usr
# mount -o noexec --bind /usr /tmp/usr
# /tmp/usr/bin/echo hello
bash: /tmp/usr/bin/echo: Permission denied

It is a low priority feature, and likely our team won't work on it any time soon, @legobeat interested in opening a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuseppe @rhatdan @legobeat