New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vfs storage driver does not work on NFS #45417
Comments
https://docs.docker.com/storage/storagedriver/select-storage-driver/ |
The commit that introduces this problem is: 31f654a |
The commit (31f654a) is changing the semantics of DirCopy but it did not change daemon/graphdriver/vfs/copy_linux.go's call to DirCopy. |
vfs is declared to work with any filesystem, but after moby@31f654a it's no longer working with NFS. As the extended attribute support depends on filesystem and if we do copy it in vfs and do not allow failure, that would essentially mean that vfs does NOT support all filesystems but only those that support xattr. So we should just try to copy security.capabilities and allow for failure. In this way, vfs come back to the state of being able to run on any filesystem as declared in https://docs.docker.com/storage/storagedriver/select-storage-driver/. Fixes moby#45417 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
vfs is declared to work with any filesystem, but after moby@31f654a it's no longer working with NFS. As the extended attribute support depends on filesystem and if we do copy it in vfs and do not allow failure, that would essentially mean that vfs does NOT support all filesystems but only those that support xattr. So we should just try to copy security.capabilities and allow for failure. In this way, vfs come back to the state of being able to run on any filesystem as declared in https://docs.docker.com/storage/storagedriver/select-storage-driver/. Fixes moby#45417 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
NFS v4.2 on Linux 5.9 and above support extended attributes when the underlying filesystem of the export does. https://www.phoronix.com/news/Linux-5.9-NFS-Server-User-Xattr Allowing the VFS driver to operate on filesystems which do not support xattrs will seemingly work at first but will cause hard-to-diagnose problems for containers which depend on file capabilities for proper functioning. The source of the "regression" is a fix for a real problem which affects real containers. In my opinion, the only bugs here are in the documentation and a lack of a filesystem-compatibility check by the vfs driver on daemon startup. |
According to the above link, it only supports user xattr, not security xattr which is copied by vfs.
In the PR's comments, we all agree with the daemon option solution. I'll do it. I'm not familiar with golang and docker source codes. So that may take some time. Please help review when it's done. Thanks :) |
Issue: LIN1023-638 Docker now errors out when running on NFS, this is because the vfs storage driver was introduced a regression about xattr copying. See moby/moby#45417 Backport a patch to fix this issue. (LOCAL REV: NOT UPSTREAM) -- WRLinux Specific Patch Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Description
vfs storage driver does not work on NFS.
A simple 'docker run -it alpine' results in the following error:
docker: Error response from daemon: operation not supported.
level=error msg="Handler for POST /v1.42/containers/create returned error: operation not supported"
Using strace and what I got is:
lgetxattr("/var/lib/docker/vfs/dir/a93d6acc41f0fddc597f35fa1fb0b1c1b79c8ab04000570473cd15da20131cf3", "
security.capability", 0xc000f3b200, 128) = -1 EOPNOTSUPP (Operation not supported)
This means it's trying to get extended security attributes but the underlying NFS does not support it.
Is this expected or is this a bug?
Reproduce
docker run -it alpine
Expected behavior
docker run succeeds
docker version
docker info
Additional Info
The above 'docker version' & 'docker info' output are about 20.10.21, but I want to clarify that this issue has been is still there on current docker.
On docker 23.0.2, we got this problem.
On docker 20.10.21, we got this problem.
On docker 20.10.17, there's no such problem.
The text was updated successfully, but these errors were encountered: