containerd

github/containerd

Fork 0

Commit Graph

Author	SHA1	Message	Date
Akihiro Suda	9ade247b38	overlay: support "userxattr" option (kernel 5.11) The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11. The "userxattr" option is NOT needed for the initial user namespace (aka "the host"). Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option. The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 > ovl: user xattr > > Optionally allow using "user.overlay." namespace instead of "trusted.overlay." > ... > Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the > "user.overlay.redirect" or "user.overlay.metacopy" xattrs. Fix issue 5060 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2021-03-01 13:54:51 +09:00
Xiaodong Zhang	e6d787172c	Fix some typo in runtime and snapshots Signed-off-by: Xiaodong Zhang <a4012017@sina.com>	2018-09-08 08:31:42 +08:00
Akihiro Suda	5cc915c26c	overlay: add Supported() checker This function is not called during plugin initialization (#2140), but should be useful for downstream projects that uses overlayfs snapshotter as a Go library. Benchmark result on Ubuntu 17.10, GCE n1-standard-4: BenchmarkOverlaySupportedOnExt4-4 100 20490598 ns/op BenchmarkOverlayUnsupportedOnFType0XFS-4 30000 39316 ns/op BenchmarkOverlaySupportedOnFType1XFS-4 100 19287083 ns/op BenchmarkOverlayUnsupportedOnFAT-4 100 14217772 ns/op i.e. the overhead is typically about 20 msec on this machine. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2018-03-06 16:53:21 +09:00

Author

SHA1

Message

Date

Akihiro Suda

9ade247b38

overlay: support "userxattr" option (kernel 5.11)

The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.

The "userxattr" option is NOT needed for the initial user namespace (aka "the host").

Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option.

The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1
> ovl: user xattr
>
> Optionally allow using "user.overlay." namespace instead of "trusted.overlay."
> ...
> Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.

Fix issue 5060

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

2021-03-01 13:54:51 +09:00

Xiaodong Zhang

e6d787172c

Fix some typo in runtime and snapshots

Signed-off-by: Xiaodong Zhang <a4012017@sina.com>

2018-09-08 08:31:42 +08:00

Akihiro Suda

5cc915c26c

overlay: add Supported() checker

This function is not called during plugin initialization (#2140),
but should be useful for downstream projects that uses overlayfs
snapshotter as a Go library.

Benchmark result on Ubuntu 17.10, GCE n1-standard-4:

BenchmarkOverlaySupportedOnExt4-4                    100          20490598 ns/op
BenchmarkOverlayUnsupportedOnFType0XFS-4           30000             39316 ns/op
BenchmarkOverlaySupportedOnFType1XFS-4               100          19287083 ns/op
BenchmarkOverlayUnsupportedOnFAT-4                   100          14217772 ns/op

i.e. the overhead is typically about 20 msec on this machine.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

2018-03-06 16:53:21 +09:00

3 Commits