dmz: overlay: minor fixups #4509
Conversation
If /run/runc and /usr/bin are on different filesystems, overlayfs may enable the xino feature which results in the following log message: kernel: overlayfs: "xino" feature enabled using 3 upper inode bits. Each time we have to protect /proc/self/exe. So disable xino to remove the log message (we don't care about the inode numbers of the files anyway). Signed-off-by: Aleksa Sarai <[email protected]>
cyphar
force-pushed
the
overlay-exe-fixups
branch
from
b2426ab to
c8215f7
Compare
|
Side note: it is confusing that the new overlay stuff is also called "dmz" |
|
Yeah it might make sense to rename |
cyphar
force-pushed
the
overlay-exe-fixups
branch
from
c8215f7 to
8c6767b
Compare
Signed-off-by: Aleksa Sarai <[email protected]>
Fixes: 871057d ("drop runc-dmz solution according to overlay solution") Signed-off-by: Aleksa Sarai <[email protected]>
cyphar
force-pushed
the
overlay-exe-fixups
branch
from
8c6767b to
b9dfb22
Compare
kolyshkin
added
the
backport/1.2-todo
| > **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to | ||
| > protect the runc binary. This protection is far more light-weight than | ||
| > memfd-bind, and for most users this should obviate the need for `memfd-bind` | ||
| > entirely. Rootless containers will still make a memfd copy (unless you are | ||
| > using `runc` itself inside a user namespace -- a-la | ||
| > [`rootlesskit`][rootlesskit]), but `memfd-bind` is not particularly useful | ||
| > for rootless container users anyway (see [Caveats](#Caveats) for more | ||
| > details). |
There was a problem hiding this comment.
Can you document the Linux kernel requirements?
There was a problem hiding this comment.
@rata are you referring to kernel requirements needed for overlayfs-based protection, or is it about memfd-bind?
There was a problem hiding this comment.
Oh, sorry, I mean overlayfs. We are using the new mount API, now another "new" syscall too. It's important to document it, IMHO.
Let's not do that until the code will be stabilized (say until v1.3 release) as otherwise backporting stuff will be a pain. |
|
Can someone open a follow-up PR to document the kernel requirements for the overlayfs-based protection? |
|
Sorry, I was at a conference today. I planned to update this PR tomorrow 😅. I'll send a new one. One thing to note is that these docs living in |
|
@cyphar thanks! Yeah, not sure where it's the right place, but the requirements should be somewhere :D |
|
#4525 is the follow-up PR. |
lifubang
added
backport/1.2-done
In addition to some documentation fixes, fix the
xinodmesg log issue.If /run/runc and /usr/bin are on different filesystems, overlayfs may
enable the xino feature which results in the following log message:
kernel: overlayfs: "xino" feature enabled using 3 upper inode bits.
Each time we have to protect /proc/self/exe. So disable xino to remove
the log message (we don't care about the inode numbers of the files
anyway).
Fixes #4508
Closes #4506
Signed-off-by: Aleksa Sarai [email protected]