Merge pull request #9117 from kinvolk/rata/userns-chown-opt-in

Require opt-in for rootfs chown when idmap mounts is not supported
2023-09-28 02:34:41 +09:00
parent 719fa3d3f7 8e3722c7d1
commit 9ca6fd9e6e
5 changed files with 79 additions and 10 deletions
--- a/snapshots/overlay/overlay.go
+++ b/snapshots/overlay/overlay.go
@@ -46,6 +46,7 @@ type SnapshotterConfig struct {
 	ms            MetaStore
 	mountOptions  []string
 	remapIds      bool
+	slowChown     bool
 }

 // Opt is an option to configure the overlay snapshotter
@@ -98,6 +99,11 @@ func WithRemapIds(config *SnapshotterConfig) error {
 	return nil
 }

+func WithSlowChown(config *SnapshotterConfig) error {
+	config.slowChown = true
+	return nil
+}
+
 type snapshotter struct {
 	root          string
 	ms            MetaStore
@@ -105,6 +111,7 @@ type snapshotter struct {
 	upperdirLabel bool
 	options       []string
 	remapIds      bool
+	slowChown     bool
 }

 // NewSnapshotter returns a Snapshotter which uses overlayfs. The overlayfs
@@ -161,6 +168,7 @@ func NewSnapshotter(root string, opts ...Opt) (snapshots.Snapshotter, error) {
 		upperdirLabel: config.upperdirLabel,
 		options:       config.mountOptions,
 		remapIds:      config.remapIds,
+		slowChown:     config.slowChown,
 	}, nil
 }

--- a/snapshots/overlay/plugin/plugin.go
+++ b/snapshots/overlay/plugin/plugin.go
@@ -28,7 +28,8 @@ import (
 )

 const (
-	capaRemapIds = "remap-ids"
+	capaRemapIds     = "remap-ids"
+	capaOnlyRemapIds = "only-remap-ids"
 )

 // Config represents configuration for the overlay plugin.
@@ -38,6 +39,11 @@ type Config struct {
 	UpperdirLabel bool   `toml:"upperdir_label"`
 	SyncRemove    bool   `toml:"sync_remove"`

+	// slowChown allows the plugin to fallback to a recursive chown if fast options (like
+	// idmap mounts) are not available. See more info about the overhead this can have in
+	// github.com/containerd/containerd/docs/user-namespaces/.
+	SlowChown bool `toml:"slow_chown"`
+
 	// MountOptions are options used for the overlay mount (not used on bind mounts)
 	MountOptions []string `toml:"mount_options"`
 }
@@ -76,6 +82,14 @@ func init() {
 				ic.Meta.Capabilities = append(ic.Meta.Capabilities, capaRemapIds)
 			}

+			if config.SlowChown {
+				oOpts = append(oOpts, overlay.WithSlowChown)
+			} else {
+				// If slowChown is false, we use capaOnlyRemapIds to signal we only
+				// allow idmap mounts.
+				ic.Meta.Capabilities = append(ic.Meta.Capabilities, capaOnlyRemapIds)
+			}
+
 			ic.Meta.Exports["root"] = root
 			return overlay.NewSnapshotter(root, oOpts...)
 		},