Read-only files on the mirror layer cannot be deleted or changed. #45262
Comments
zyy4676
added
kind/feature
This is expected. The Docker daemon uses "tar-split" (https://github.com/vbatts/tar-split); when pulling an image the original tar file for the layer is discarded, but its headers are kept. Those headers contain information of files that are expected to be in the layer. When saving the image, files are verified against those checksums, and only the files that are expected to be there are included in the image that's saved.
Unfortunately, that won't be possible due to how CoW filesystems (and overlayfs) work. Files in underlying layers will have their regular permissions (which can be "writable"), but when using the layers for containers, those layers will be mounted as lower-dirs (which makes them "read only"). Files inside ls -la /var/lib/docker
total 96
drwx--x--- 14 root root 4096 Mar 28 12:19 .
drwxr-xr-x 40 root root 4096 Oct 27 2021 ..
drwx------ 2 root root 4096 May 25 2019 builder
drwx------ 5 root root 4096 Mar 18 2021 buildkit
drwx--x--- 5 root root 4096 Mar 28 12:19 containers
-rw------- 1 root root 59 Mar 7 12:15 engine-id
drwx------ 3 root root 4096 Jun 27 2022 image
drwxr-x--- 3 root root 4096 May 25 2019 network
drwx--x--- 337 root root 36864 Mar 28 12:19 overlay2
drwx------ 4 root root 4096 May 25 2019 plugins
drwx------ 2 root root 4096 Mar 28 12:19 runtimes
drwx------ 5 root root 4096 Mar 28 12:19 swarm
drwx------ 2 root root 4096 Mar 28 12:19 tmp
drwx------ 2 root root 4096 May 25 2019 trust
drwx-----x 5 root root 4096 Mar 28 12:19 volumes |
Files in lower-dirs why need write permission. |
|
Hm.. not sure if that would work, as that would be modifying the files as available inside the container as well; docker run --rm alpine lsattr -l /etc/nsswitch.conf
/etc/nsswitch.conf Extentschange the file on the host; chattr +i /var/lib/docker/overlay2/282bcb7a9e27db2b5f6fdc79b0744b2d670da3ef8e393a0a984094f2403c049d/diff/etc/nsswitch.confAnd notice that the file inside the container also gets that attribute, and the file will be immutable inside the container; docker run --rm alpine lsattr -l /etc/nsswitch.conf
/etc/nsswitch.conf Immutable, Extents
Lowerdirs won't be writable either way, so this would only affect cases where something is trying to modify files in |
|
In the production environment, in order to prevent data from being deleted by mistake, we ues recycling station. Deleting files using rm, the files will be put into the recycling station. A week later, we find all the recycling station on the host and cleaned them up, but we found that if the recycling station at container lowerdir was cleaned up, it would cause a docker save exception. Maybe we shouldn't cleaned the recycling station in containers from hosts. But we should be denied permission to change these files in /var/lib/docker. |
Description
Read-only files on the mirror layer should not be deleted or changed.
Files in LowerDir should not be deleted or changed. I deleted the file at tLowerDir on the host machine,then i exec docker save, the image can't be saved.
But I add file at tLowerDir on the host machine,then i exec docker save, the image can be saved.
I think read-only files on the mirror layer cannot be deleted or changed, when i chenge file, that should be prompted that the permission is insufficient.
The text was updated successfully, but these errors were encountered: