How to to use "--rootfs ./dir:O" when dir is a squashfuse mount point? #12146

eriksjolund · 2021-10-31T12:03:35Z

eriksjolund
Oct 31, 2021

Do you think it should be possible to provide the rootfs directory from a squashfuse FUSE mountpoint when using podman run --rootfs ./dir:O ... with rootless Podman?

The idea is to first mount the squashfs archive with squashfuse and then provide the mountpoint to --rootfs.
Something like this:

podman export $(podman create alpine) --output alpine.tar
mkdir alpinecontainer
tar -xf alpine.tar -C alpinecontainer
mksquashfs alpinecontainer/ alpine.squash
mkdir mntdir
squashfuse alpine.squash mntdir 
podman run --rootfs ./mntdir:O ....

I tried it out on a Fedora 34 computer with Podman built from the Git commit 85bad0c

[testuser@laptop ~]$ podman version
Version:      4.0.0-dev
API Version:  4.0.0-dev
Go Version:   go1.16.7
Git Commit:   85bad0cc7c68b71ab7ddb6ed09b862145c6c6d0e
Built:        Sat Oct 30 20:58:09 2021
OS/Arch:      linux/amd64
[testuser@laptop ~]$

but it failed

[testuser@laptop ~]$ podman run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0"  --rootfs ./mntdir/:O echo success
Error: open `/run/user/1004/containers/overlay-containers/309fa64ea95ae9844cda44a19e1b2eae5df6250232cd6c13ab322be23b9ebd0f/rootfs/merge/resolv.conf`: No such file or directory: OCI runtime attempted to invoke a command that was not found
[testuser@laptop ~]$

Running from the original directory --rootfs ./alpinecontainer/:O worked fine.

[testuser@laptop ~]$ podman run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0"  --rootfs ./alpinecontainer/:O echo success
success
[testuser@laptop ~]$

When listing the files in the directories mntdir/ and alpinecontainer/ they look the same

[testuser@laptop ~]$ ls -l mntdir/
total 0
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 bin
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 dev
drwxr-xr-x. 15 testuser testuser 0 Aug 27 13:05 etc
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 home
drwxr-xr-x.  7 testuser testuser 0 Aug 27 13:05 lib
drwxr-xr-x.  5 testuser testuser 0 Aug 27 13:05 media
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 mnt
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 opt
dr-xr-xr-x.  2 testuser testuser 0 Aug 27 13:05 proc
drwx------.  2 testuser testuser 0 Aug 27 13:05 root
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 run
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 sbin
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 srv
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 sys
drwxr-xr-x.  2 testuser testuser 0 Aug 27 13:05 tmp
drwxr-xr-x.  7 testuser testuser 0 Aug 27 13:05 usr
drwxr-xr-x. 12 testuser testuser 0 Aug 27 13:05 var
[testuser@laptop ~]$ ls -l alpinecontainer/
total 16
drwxr-xr-x.  2 testuser testuser 4096 Aug 27 13:05 bin
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 dev
drwxr-xr-x. 15 testuser testuser 4096 Aug 27 13:05 etc
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 home
drwxr-xr-x.  7 testuser testuser 4096 Aug 27 13:05 lib
drwxr-xr-x.  5 testuser testuser   44 Aug 27 13:05 media
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 mnt
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 opt
dr-xr-xr-x.  2 testuser testuser    6 Aug 27 13:05 proc
drwx------.  2 testuser testuser    6 Aug 27 13:05 root
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 run
drwxr-xr-x.  2 testuser testuser 4096 Aug 27 13:05 sbin
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 srv
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 sys
drwxr-xr-x.  2 testuser testuser    6 Aug 27 13:05 tmp
drwxr-xr-x.  7 testuser testuser   66 Aug 27 13:05 usr
drwxr-xr-x. 12 testuser testuser  137 Aug 27 13:05 var
[testuser@laptop ~]$

Sidenote 1: I think the functionality to use rootfs with overlay (podman run --rootfs ./dir:O ...) is not yet available in any Podman release (so you need to build Podman from the Git repository).

Sidenote 2: Not related to this question regarding --rootfs, but I managed to mount a squashfs archive from within a container when running rootless Podman:
https://stackoverflow.com/questions/69786271/how-to-mount-a-squashfs-file-in-a-container-when-running-rootless-podman

rhatdan · 2021-11-01T11:41:49Z

rhatdan
Nov 1, 2021
Maintainer

I see no reason why this would not work. I don't think we should add a feature to Podman to support mounting squashfs, but --rootfs should work on any type of file system. SELinux could block certain accesses. And User Namespace might be a problem, depending on the ownership of files.

7 replies

flouthoc Nov 2, 2021
Maintainer

I think this is happening because the underlying fs has wrong ownership and podman is unable to create resolv.conf as we only configure mountpoint ownership when using overlay with rootfs not on the entire fs. I saw something similar when we were working on #11937

To verify @eriksjolund could you try. But this patch cannot be merged into upstream.
This is just to verify not a fix for this issue

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index b9805faa3..8b699d25b 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1545,7 +1545,7 @@ func (c *Container) mountStorage() (_ string, deferredErr error) {
                }
 
                //note: this should not be recursive, if using external rootfs users should be responsible on configuring ownership.
-               if err := chown.ChangeHostPathOwnership(mountPoint, false, int(hostUID), int(hostGID)); err != nil {
+               if err := chown.ChangeHostPathOwnership(mountPoint, true, int(hostUID), int(hostGID)); err != nil {
                        return "", err
                }
        }

But I am not entirely sure so I'll try reproducing this then i can verify.

giuseppe Nov 2, 2021
Maintainer

/run/user/1004/containers/overlay-containers/cff3b8be197e4036c41e224634f9988da90cb7c69d4f8f2267dbbdd7dd66717e/rootfs/merge/resolv.conf

looks like the wrong path.

Shouldn't it be /run/user/1004/containers/overlay-containers/cff3b8be197e4036c41e224634f9988da90cb7c69d4f8f2267dbbdd7dd66717e/rootfs/merge/etc/resolv.conf

Is /etc/resolv.conf in the image a symlink?

Does it make any difference if you specify the full path to rootfs?

podman run --security-opt label=disable --privileged --rm --sysctl net.ipv4.ping_group_range="0 30000" --rootfs $(pwd)/mntdir/:O echo success

eriksjolund Nov 2, 2021
Author

@flouthoc
I'll try out your patch later this week (probably in the weekend).

@giuseppe There seems to be no resolv.conf.

[testuser@laptop ~]$ podman export $(podman create docker.io/library/alpine) --output file.tar
[testuser@laptop ~]$ tar tvf file.tar |grep resolv.conf
[testuser@laptop ~]$

Providing the full path to --rootfs also fails. (See Bash script example below).

Here is a Bash script that can be run on a Fedora 34 computer to demonstrate the difference between using squashfuse (case 1) and not using squashfuse (case 2). The script provides the full path to --rootfs.
Maybe I'm just doing a stupid mistake. I haven't had time to check the script thoroughly.

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)
mntdir=$dir/mntdir
tarfile=$dir/image.tar
untardir=$dir/untardir
squashfile=$dir/squashfile

mkdir $mntdir
mkdir $untardir

image=docker.io/library/alpine
#image=docker.io/library/fedora

oneUID() {
  tar -xf $tarfile -C $untardir
  mksquashfs $untardir $squashfile
  squashfuse $squashfile $mntdir
}


# TODO: try out multiUID(). Not yet tested.
multiUID() {
  podman unshare bash -c "mkdir alpinecontainer && tar -xf $tarfile -C $untardir"
  sudo mksquashfs $untardir $squashfile
  squashfuse -o allow_other $squashfile $mntdir
}

check_files() {
    # compare file ownership and file content.
    str="%p %u %U %g %G %m %s\n"    
    $(cd $1 && find . -type f -printf "$str" | sort > $dir/1.txt)
    $(cd $2 && find . -type f -printf "$str" | sort > $dir/2.txt)    
    diff -u $dir/1.txt $dir/2.txt
    diff -r --no-dereference $1 $2
}

podman export $(podman create $image) --output $tarfile

oneUID
check_files $untardir $mntdir

case $1 in
    1) podman run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs $mntdir:O echo success
    ;;
    2) podman run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs $untardir:O echo success
    ;;
esac

Testing the two cases

[testuser@laptop ~]$ rpm -qf /usr/bin/squashfuse
squashfuse-0.1.102-8.fc34.x86_64
[testuser@laptop ~]$ bash script.bash 1
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on /tmp/tmp.YWsgquSJZS/squashfile, block size 131072.
[=============================================================================================================================================|] 109/109 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
	compressed data, compressed metadata, compressed fragments,
	compressed xattrs, compressed ids
	duplicates are removed
Filesystem size 2666.23 Kbytes (2.60 Mbytes)
	48.53% of uncompressed filesystem size (5493.65 Kbytes)
Inode table size 3314 bytes (3.24 Kbytes)
	15.31% of uncompressed inode table size (21640 bytes)
Directory table size 4647 bytes (4.54 Kbytes)
	53.69% of uncompressed directory table size (8655 bytes)
Xattr table size 53 bytes (0.05 Kbytes)
	100.00% of uncompressed xattr table size (53 bytes)
Number of duplicate files found 6
Number of inodes 494
Number of files 76
Number of fragments 6
Number of symbolic links 321
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 97
Number of ids (unique uids + gids) 1
Number of uids 1
	testuser (1004)
Number of gids 1
	testuser (1004)
Error: open `/run/user/1004/containers/overlay-containers/1fc42a8da7412398227438f19df3622fa71107176a9a6f1b79cf9448f4f00428/rootfs/merge/.containerenv`: No such file or directory: OCI runtime attempted to invoke a command that was not found
[testuser@laptop ~]$ 
[testuser@laptop ~]$ 
[testuser@laptop ~]$ 
[testuser@laptop ~]$ 
[testuser@laptop ~]$ bash script.bash 2
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on /tmp/tmp.HeIJpZGeQQ/squashfile, block size 131072.
[=============================================================================================================================================|] 109/109 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
	compressed data, compressed metadata, compressed fragments,
	compressed xattrs, compressed ids
	duplicates are removed
Filesystem size 2666.23 Kbytes (2.60 Mbytes)
	48.53% of uncompressed filesystem size (5493.65 Kbytes)
Inode table size 3315 bytes (3.24 Kbytes)
	15.32% of uncompressed inode table size (21640 bytes)
Directory table size 4647 bytes (4.54 Kbytes)
	53.69% of uncompressed directory table size (8655 bytes)
Xattr table size 53 bytes (0.05 Kbytes)
	100.00% of uncompressed xattr table size (53 bytes)
Number of duplicate files found 6
Number of inodes 494
Number of files 76
Number of fragments 6
Number of symbolic links 321
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 97
Number of ids (unique uids + gids) 1
Number of uids 1
	testuser (1004)
Number of gids 1
	testuser (1004)
success
[testuser@laptop ~]$

eriksjolund Nov 7, 2021
Author

@flouthoc after applying your patch I got the same result as before.

I then reverted the patch and rebuilt podman from abbd6c1 (from the main branch).

The user testuser was deleted and recreated

[testuser@laptop ~]$ grep testuser /etc/subuid
testuser:724288:65536
[testuser@laptop ~]$ grep testuser /etc/subgid
testuser:624288:65536
[testuser@laptop ~]$ id
uid=1008(testuser) gid=1008(testuser) groups=1008(testuser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[testuser@laptop ~]$

Interestingly podman run --rootfs ... works with a normal mount

sudo mount $squashfile $mntdir_normal -t squashfs -o loop

but not when using a mount from squashfuse

squashfuse -d $squashfile $mntdir_squashfuse

Here is a new test script (test.bash):

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)
mntdir_normal=$dir/mntdir_normal
mntdir_squashfuse=$dir/mntdir_squashfuse
tarfile=$dir/image.tar
untardir=$dir/untardir
squashfile=$dir/squashfile

mkdir $mntdir_normal
mkdir $mntdir_squashfuse
mkdir $untardir

image=docker.io/library/alpine

podman export $(podman create $image) --output $tarfile
tar -xf $tarfile -C $untardir
mksquashfs $untardir $squashfile

echo
echo "#### Run these commands in another termainal"
echo sudo mount $squashfile $mntdir_normal -t squashfs -o loop
echo podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=\"0 0\" --rootfs $mntdir_normal:O echo success
echo podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=\"0 0\" --rootfs $mntdir_squashfuse:O echo success
echo
echo "### debug output from \"squashfuse -d $squashfile $mntdir_squashfuse\""

squashfuse -d $squashfile $mntdir_squashfuse

(adding the command-line flag -d enables debug output from squashfuse)

Run the script test.bash:

[testuser@laptop ~]$ bash test.bash
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on /tmp/tmp.AiOUpA1VHz/squashfile, block size 131072.
[=============================================================================================================================================================================================================================|] 109/109 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
	compressed data, compressed metadata, compressed fragments,
	compressed xattrs, compressed ids
	duplicates are removed
Filesystem size 2666.23 Kbytes (2.60 Mbytes)
	48.53% of uncompressed filesystem size (5493.65 Kbytes)
Inode table size 3315 bytes (3.24 Kbytes)
	15.32% of uncompressed inode table size (21640 bytes)
Directory table size 4647 bytes (4.54 Kbytes)
	53.69% of uncompressed directory table size (8655 bytes)
Xattr table size 53 bytes (0.05 Kbytes)
	100.00% of uncompressed xattr table size (53 bytes)
Number of duplicate files found 6
Number of inodes 494
Number of files 76
Number of fragments 6
Number of symbolic links 321
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 97
Number of ids (unique uids + gids) 1
Number of uids 1
	testuser (1008)
Number of gids 1
	testuser (1008)

#### Run these commands in another termainal
sudo mount /tmp/tmp.AiOUpA1VHz/squashfile /tmp/tmp.AiOUpA1VHz/mntdir_normal -t squashfs -o loop
podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_normal:O echo success
podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse:O echo success

### debug output from "squashfuse -d /tmp/tmp.AiOUpA1VHz/squashfile /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse"
FUSE library version: 2.9.9
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 2, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.34
flags=0x33fffffb
max_readahead=0x00020000
   INIT: 7.19
   flags=0x00000011
   max_readahead=0x00020000
   max_write=0x00020000
   max_background=0
   congestion_threshold=0
   unique: 2, success, outsize: 40

The script test.bash does not return, but it echoes a few commands that can be copy-pasted into another terminal window:

sudo mount /tmp/tmp.AiOUpA1VHz/squashfile /tmp/tmp.AiOUpA1VHz/mntdir_normal -t squashfs -o loop
podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_normal:O echo success
podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse:O echo success

Test with rootfs from a normal squahfs mount (result: success)

[testuser@laptop podman]$ sudo mount /tmp/tmp.AiOUpA1VHz/squashfile /tmp/tmp.AiOUpA1VHz/mntdir_normal -t squashfs -o loop
[testuser@laptop podman]$ podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_normal:O echo success
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=0 0 --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_normal:O echo success) 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Merged system config "/home/testuser/containers.conf" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Using conmon: "/home/testuser/output/bin/conmon" 
DEBU[0000] Initializing boltdb state at /home/testuser/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/testuser/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1008/containers     
DEBU[0000] Using static dir /home/testuser/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1008/libpod/tmp      
DEBU[0000] Using volume path /home/testuser/.local/share/containers/storage/volumes 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that metacopy is not being used 
DEBU[0000] Cached value indicated that native-diff is usable 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false 
DEBU[0000] Initializing event backend journald          
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Using OCI runtime "/home/testuser/output/bin/crun" 
INFO[0000] Setting parallel job count to 25             
DEBU[0000] using systemd mode: false                    
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 12 for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Created container "621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f" 
DEBU[0000] Container "621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f" has work directory "/home/testuser/.local/share/containers/storage/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata" 
DEBU[0000] Container "621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f" has run directory "/run/user/1008/containers/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata" 
DEBU[0000] Not attaching to stdin                       
DEBU[0000] Made network namespace at /run/user/1008/netns/cni-1eb2c959-b2d4-774d-353b-034e1d40e580 for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] slirp4netns command: /home/testuser/output/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1008/netns/cni-1eb2c959-b2d4-774d-353b-034e1d40e580 tap0 
DEBU[0000] Created root filesystem for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f at /run/user/1008/containers/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/rootfs/merge 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting CGroups for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f to user.slice:libpod:621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/run/user/1008/containers/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/rootfs/merge" 
DEBU[0000] Created OCI spec for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f at /home/testuser/.local/share/containers/storage/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata/config.json 
DEBU[0000] /home/testuser/output/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /home/testuser/output/bin/conmon  args="[--api-version 1 -c 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f -u 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f -r /home/testuser/output/bin/crun -b /home/testuser/.local/share/containers/storage/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata -p /run/user/1008/containers/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata/pidfile -n romantic_boyd --exit-dir /run/user/1008/libpod/tmp/exits --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/user/1008/containers/overlay-containers/621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f/userdata/conmon.pid --exit-command /home/testuser/output/bin/podman --exit-command-arg --root --exit-command-arg /home/testuser/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1008/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1008/libpod/tmp --exit-command-arg --cni-config-dir --exit-command-arg /home/testuser/.config/cni/net.d --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f]"
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

DEBU[0000] Received: 22777                              
INFO[0000] Got Conmon PID as 22774                      
DEBU[0000] Created container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f in OCI runtime 
DEBU[0000] Attaching to container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Starting container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f with command [echo success] 
DEBU[0000] Started container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
INFO[0000] Received shutdown.Stop(), terminating!        PID=22754
DEBU[0000] Enabling signal proxying                     
success
DEBU[0000] Checking if container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f should restart 
DEBU[0000] Removing container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Removing all exec sessions for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Cleaning up container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Tearing down network namespace at /run/user/1008/netns/cni-1eb2c959-b2d4-774d-353b-034e1d40e580 for container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Successfully cleaned up container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f 
DEBU[0000] Container 621692346e06dc3963b8413f348f269cf1103bd8619fa513a28c63a70e05790f storage is already unmounted, skipping... 
DEBU[0000] Called run.PersistentPostRunE(podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=0 0 --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_normal:O echo success) 
[testuser@laptop podman]$

Test with rootfs from a squashfuse mount (result: failure)

[testuser@laptop podman]$ podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse:O echo success
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=0 0 --rootfs /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse:O echo success) 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Merged system config "/home/testuser/containers.conf" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Using conmon: "/home/testuser/output/bin/conmon" 
DEBU[0000] Initializing boltdb state at /home/testuser/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/testuser/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1008/containers     
DEBU[0000] Using static dir /home/testuser/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1008/libpod/tmp      
DEBU[0000] Using volume path /home/testuser/.local/share/containers/storage/volumes 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that metacopy is not being used 
DEBU[0000] Cached value indicated that native-diff is usable 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false 
DEBU[0000] Initializing event backend journald          
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Using OCI runtime "/home/testuser/output/bin/crun" 
INFO[0000] Setting parallel job count to 25             
DEBU[0000] using systemd mode: false                    
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 12 for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Created container "13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42" 
DEBU[0000] Container "13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42" has work directory "/home/testuser/.local/share/containers/storage/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata" 
DEBU[0000] Container "13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42" has run directory "/run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata" 
DEBU[0000] Not attaching to stdin                       
DEBU[0000] Made network namespace at /run/user/1008/netns/cni-d13b9629-9a43-f186-1bf3-8d8c4e58b8e5 for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] slirp4netns command: /home/testuser/output/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1008/netns/cni-d13b9629-9a43-f186-1bf3-8d8c4e58b8e5 tap0 
DEBU[0000] Created root filesystem for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 at /run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/rootfs/merge 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting CGroups for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 to user.slice:libpod:13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/rootfs/merge" 
DEBU[0000] Created OCI spec for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 at /home/testuser/.local/share/containers/storage/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata/config.json 
DEBU[0000] /home/testuser/output/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /home/testuser/output/bin/conmon  args="[--api-version 1 -c 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 -u 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 -r /home/testuser/output/bin/crun -b /home/testuser/.local/share/containers/storage/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata -p /run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata/pidfile -n busy_poincare --exit-dir /run/user/1008/libpod/tmp/exits --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/userdata/conmon.pid --exit-command /home/testuser/output/bin/podman --exit-command-arg --root --exit-command-arg /home/testuser/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1008/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1008/libpod/tmp --exit-command-arg --cni-config-dir --exit-command-arg /home/testuser/.config/cni/net.d --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42]"
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

DEBU[0000] Received: -1                                 
DEBU[0000] Cleaning up container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Tearing down network namespace at /run/user/1008/netns/cni-d13b9629-9a43-f186-1bf3-8d8c4e58b8e5 for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Removing container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Removing all exec sessions for container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Cleaning up container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 
DEBU[0000] Network is already cleaned up, skipping...   
DEBU[0000] Container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 storage is already unmounted, skipping... 
DEBU[0000] Container 13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42 storage is already unmounted, skipping... 
DEBU[0000] ExitCode msg: "open `/run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/rootfs/merge/.containerenv`: no such file or directory: oci runtime attempted to invoke a command that was not found" 
Error: open `/run/user/1008/containers/overlay-containers/13aa9ba3231049925f7c41b263d8c0a30c956a711f68f587c046a26eb4725d42/rootfs/merge/.containerenv`: No such file or directory: OCI runtime attempted to invoke a command that was not found
[testuser@laptop podman]$

In the first terminal window where the script test.bash is running there is now some debug output from squashfuse.

unique: 4, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 22805
getattr /
   unique: 4, success, outsize: 120
unique: 6, opcode: STATFS (17), nodeid: 1, insize: 40, pid: 22804
   unique: 6, success, outsize: 96
unique: 8, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22804
LOOKUP /etc
getattr /etc
   NODEID: 2
   unique: 8, success, outsize: 144
unique: 10, opcode: GETXATTR (22), nodeid: 2, insize: 68, pid: 22804
getxattr /etc user.overlay.origin 0
   unique: 10, error: -61 (No data available), outsize: 16
unique: 12, opcode: LOOKUP (1), nodeid: 2, insize: 47, pid: 22804
LOOKUP /etc/passwd
getattr /etc/passwd
   NODEID: 3
   unique: 12, success, outsize: 144
unique: 14, opcode: GETXATTR (22), nodeid: 3, insize: 70, pid: 22804
getxattr /etc/passwd user.overlay.metacopy 0
   unique: 14, error: -61 (No data available), outsize: 16
unique: 16, opcode: LOOKUP (1), nodeid: 2, insize: 46, pid: 22804
LOOKUP /etc/group
getattr /etc/group
   NODEID: 4
   unique: 16, success, outsize: 144
unique: 18, opcode: GETXATTR (22), nodeid: 4, insize: 70, pid: 22804
getxattr /etc/group user.overlay.metacopy 0
   unique: 18, error: -61 (No data available), outsize: 16
unique: 20, opcode: OPEN (14), nodeid: 3, insize: 48, pid: 22804
open flags: 0x4048000 /etc/passwd
   open[94892755271120] flags: 0x4048000 /etc/passwd
   unique: 20, success, outsize: 32
unique: 22, opcode: OPEN (14), nodeid: 4, insize: 48, pid: 22804
open flags: 0x4048000 /etc/group
   open[94892755271200] flags: 0x4048000 /etc/group
   unique: 22, success, outsize: 32
unique: 24, opcode: READ (15), nodeid: 3, insize: 80, pid: 22804
read[94892755271120] 4096 bytes from 0 flags: 0x4048000
   read[94892755271120] 1172 bytes from 0
   unique: 24, success, outsize: 1188
unique: 26, opcode: FLUSH (25), nodeid: 3, insize: 64, pid: 22813
   unique: 26, error: -38 (Function not implemented), outsize: 16
unique: 28, opcode: READ (15), nodeid: 4, insize: 80, pid: 22804
read[94892755271200] 4096 bytes from 0 flags: 0x4048000
   read[94892755271200] 697 bytes from 0
   unique: 28, success, outsize: 713
unique: 30, opcode: RELEASE (18), nodeid: 4, insize: 64, pid: 0
release[94892755271200] flags: 0x4048000
   unique: 30, success, outsize: 16
unique: 32, opcode: RELEASE (18), nodeid: 3, insize: 64, pid: 0
release[94892755271120] flags: 0x4048000
   unique: 32, success, outsize: 16
unique: 34, opcode: LOOKUP (1), nodeid: 2, insize: 45, pid: 22804
LOOKUP /etc/mtab
getattr /etc/mtab
   NODEID: 5
   unique: 34, success, outsize: 144
unique: 36, opcode: GETATTR (3), nodeid: 3, insize: 56, pid: 22799
getattr /etc/passwd
   unique: 36, success, outsize: 120
unique: 38, opcode: GETATTR (3), nodeid: 4, insize: 56, pid: 22799
getattr /etc/group
   unique: 38, success, outsize: 120
unique: 40, opcode: OPEN (14), nodeid: 3, insize: 48, pid: 22799
open flags: 0x4048000 /etc/passwd
   open[94892755271120] flags: 0x4048000 /etc/passwd
   unique: 40, success, outsize: 32
unique: 42, opcode: OPEN (14), nodeid: 4, insize: 48, pid: 22799
open flags: 0x4048000 /etc/group
   open[94892755271200] flags: 0x4048000 /etc/group
   unique: 42, success, outsize: 32
unique: 44, opcode: RELEASE (18), nodeid: 4, insize: 64, pid: 0
release[94892755271200] flags: 0x4048000
   unique: 44, success, outsize: 16
unique: 46, opcode: RELEASE (18), nodeid: 3, insize: 64, pid: 0
release[94892755271120] flags: 0x4048000
   unique: 46, success, outsize: 16
unique: 48, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22799
LOOKUP /dev
getattr /dev
   NODEID: 6
   unique: 48, success, outsize: 144
unique: 50, opcode: GETXATTR (22), nodeid: 6, insize: 68, pid: 22799
getxattr /dev user.overlay.origin 0
   unique: 50, error: -61 (No data available), outsize: 16
unique: 52, opcode: LOOKUP (1), nodeid: 1, insize: 45, pid: 22819
LOOKUP /proc
getattr /proc
   NODEID: 7
   unique: 52, success, outsize: 144
unique: 54, opcode: GETXATTR (22), nodeid: 7, insize: 68, pid: 22819
getxattr /proc user.overlay.origin 0
   unique: 54, error: -61 (No data available), outsize: 16
unique: 56, opcode: OPENDIR (27), nodeid: 7, insize: 48, pid: 22819
opendir flags: 0x48000 /proc
   opendir[94892755271120] flags: 0x48000 /proc
   unique: 56, success, outsize: 32
unique: 58, opcode: RELEASEDIR (29), nodeid: 7, insize: 64, pid: 0
releasedir[94892755271120] flags: 0x0
   unique: 58, success, outsize: 16
unique: 60, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22819
LOOKUP /sys
getattr /sys
   NODEID: 8
   unique: 60, success, outsize: 144
unique: 62, opcode: GETXATTR (22), nodeid: 8, insize: 68, pid: 22819
getxattr /sys user.overlay.origin 0
   unique: 62, error: -61 (No data available), outsize: 16
unique: 64, opcode: OPENDIR (27), nodeid: 8, insize: 48, pid: 22819
opendir flags: 0x48000 /sys
   opendir[94892755271120] flags: 0x48000 /sys
   unique: 64, success, outsize: 32
unique: 66, opcode: RELEASEDIR (29), nodeid: 8, insize: 64, pid: 0
releasedir[94892755271120] flags: 0x0
   unique: 66, success, outsize: 16
unique: 68, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22819
LOOKUP /dev
getattr /dev
   NODEID: 6
   unique: 68, success, outsize: 144
unique: 70, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22819
LOOKUP /dev
getattr /dev
   NODEID: 6
   unique: 70, success, outsize: 144
unique: 72, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22819
LOOKUP /run
getattr /run
   NODEID: 9
   unique: 72, success, outsize: 144
unique: 74, opcode: GETXATTR (22), nodeid: 9, insize: 68, pid: 22819
getxattr /run user.overlay.origin 0
   unique: 74, error: -61 (No data available), outsize: 16
unique: 76, opcode: LOOKUP (1), nodeid: 9, insize: 54, pid: 22819
LOOKUP /run/.containerenv
getattr /run/.containerenv
   unique: 76, error: -2 (No such file or directory), outsize: 16
unique: 78, opcode: LOOKUP (1), nodeid: 1, insize: 44, pid: 22819
LOOKUP /run
getattr /run
   NODEID: 9
   unique: 78, success, outsize: 144
unique: 80, opcode: LISTXATTR (23), nodeid: 9, insize: 48, pid: 22819
listxattr /run 0
   unique: 80, success, outsize: 24
unique: 82, opcode: LISTXATTR (23), nodeid: 9, insize: 48, pid: 22819
listxattr /run 16
   unique: 82, success, outsize: 32

An observation while repeating the test with the squashfuse mount is that the
failure is not deterministic. Sometime it can look like this:

DEBU[0000] ExitCode msg: "mkdir `secrets`: no data available: oci runtime error" 
Error: OCI runtime error: mkdir `secrets`: No data available

After that I tried out a few different command-line options for squashfuse :

Add the command-line option -o allow_other to squashfuse but the test still fails.
Add the command-line option -o allow_root to squashfuse but the test still fails.

Comparing the mount directories

The mount directories look similar

[testuser@laptop ~]$ find /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse| wc -l
494
[testuser@laptop ~]$ find /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse -user testuser -group testuser | wc -l
494
[testuser@laptop ~]$ find /tmp/tmp.AiOUpA1VHz/mntdir_normal | wc -l
494
[testuser@laptop ~]$ find /tmp/tmp.AiOUpA1VHz/mntdir_normal -user testuser -group testuser | wc -l
494
[testuser@laptop ~]$ diff  -r --no-dereference  /tmp/tmp.AiOUpA1VHz/mntdir_normal  /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse
[testuser@laptop ~]$ str="%p %u %U %g %G %m %s\n"
[testuser@laptop ~]$ (cd /tmp/tmp.AiOUpA1VHz/mntdir_normal && find . -type f -printf "$str" | sort > /tmp/normal.txt)
[testuser@laptop ~]$ (cd /tmp/tmp.AiOUpA1VHz/mntdir_squashfuse && find . -type f -printf "$str" | sort > /tmp/squashfuse.txt)
[testuser@laptop ~]$ diff /tmp/normal.txt /tmp/squashfuse.txt
[testuser@laptop ~]$

eriksjolund Nov 14, 2021
Author

A new test. I verified that it works with another FUSE filesystem (bindfs).

bindfs is a FUSE filesystem for mounting a directory to another location, similarly to mount --bind
quote from
https://bindfs.org/

I installed bindfs with
sudo dnf install -y bindfs
and tried it out with this Bash script

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)

mntdir_bindfs=$dir/mntdir_bindfs
tarfile=$dir/image.tar
untardir=$dir/untardir
squashfile=$dir/squashfile

mkdir $mntdir_bindfs
mkdir $untardir

image=docker.io/library/alpine

podman export $(podman create $image) --output $tarfile
tar -xf $tarfile -C $untardir

bindfs --no-allow-other $untardir $mntdir_bindfs
mount | grep $mntdir_bindfs

podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range="0 0" --rootfs $mntdir_bindfs:O echo success

Run bash test-bindfs.sh

[testuser@laptop ~]$ bash test-bindfs.sh
/tmp/tmp.JnUNRHM3QX/untardir on /tmp/tmp.JnUNRHM3QX/mntdir_bindfs type fuse (rw,nosuid,nodev,relatime,user_id=1008,group_id=1008,default_permissions)
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=0 0 --rootfs /tmp/tmp.JnUNRHM3QX/mntdir_bindfs:O echo success) 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Merged system config "/home/testuser/containers.conf" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Using conmon: "/home/testuser/output/bin/conmon" 
DEBU[0000] Initializing boltdb state at /home/testuser/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/testuser/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1008/containers     
DEBU[0000] Using static dir /home/testuser/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1008/libpod/tmp      
DEBU[0000] Using volume path /home/testuser/.local/share/containers/storage/volumes 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that metacopy is not being used 
DEBU[0000] Cached value indicated that native-diff is usable 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false 
DEBU[0000] Initializing event backend journald          
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Using OCI runtime "/home/testuser/output/bin/crun" 
INFO[0000] Setting parallel job count to 25             
DEBU[0000] using systemd mode: false                    
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 46 for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Created container "67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926" 
DEBU[0000] Container "67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926" has work directory "/home/testuser/.local/share/containers/storage/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata" 
DEBU[0000] Container "67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926" has run directory "/run/user/1008/containers/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata" 
DEBU[0000] Not attaching to stdin                       
DEBU[0000] Made network namespace at /run/user/1008/netns/cni-ec701e0d-7f9b-eaa7-bcac-dc362634ec90 for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] slirp4netns command: /home/testuser/output/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1008/netns/cni-ec701e0d-7f9b-eaa7-bcac-dc362634ec90 tap0 
DEBU[0000] Created root filesystem for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 at /run/user/1008/containers/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/rootfs/merge 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting CGroups for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 to user.slice:libpod:67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/run/user/1008/containers/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/rootfs/merge" 
DEBU[0000] Created OCI spec for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 at /home/testuser/.local/share/containers/storage/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata/config.json 
DEBU[0000] /home/testuser/output/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /home/testuser/output/bin/conmon  args="[--api-version 1 -c 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 -u 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 -r /home/testuser/output/bin/crun -b /home/testuser/.local/share/containers/storage/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata -p /run/user/1008/containers/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata/pidfile -n sharp_allen --exit-dir /run/user/1008/libpod/tmp/exits --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/user/1008/containers/overlay-containers/67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926/userdata/conmon.pid --exit-command /home/testuser/output/bin/podman --exit-command-arg --root --exit-command-arg /home/testuser/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1008/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1008/libpod/tmp --exit-command-arg --cni-config-dir --exit-command-arg /home/testuser/.config/cni/net.d --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926]"
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

DEBU[0000] Received: 25940                              
INFO[0000] Got Conmon PID as 25937                      
DEBU[0000] Created container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 in OCI runtime 
DEBU[0000] Attaching to container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Starting container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 with command [echo success] 
DEBU[0000] Started container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
INFO[0000] Received shutdown.Stop(), terminating!        PID=25919
success
DEBU[0000] Enabling signal proxying                     
DEBU[0000] Checking if container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 should restart 
DEBU[0000] Removing container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Removing all exec sessions for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Cleaning up container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Tearing down network namespace at /run/user/1008/netns/cni-ec701e0d-7f9b-eaa7-bcac-dc362634ec90 for container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Successfully cleaned up container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 
DEBU[0000] Container 67c7932b192fabf0bf39e16659067871b09a5f6f9874facab1e48f02da7aa926 storage is already unmounted, skipping... 
DEBU[0000] Called run.PersistentPostRunE(podman --log-level=debug run --security-opt label=disable --rm --sysctl net.ipv4.ping_group_range=0 0 --rootfs /tmp/tmp.JnUNRHM3QX/mntdir_bindfs:O echo success) 
[testuser@laptop ~]$

eriksjolund · 2021-11-19T19:10:10Z

eriksjolund
Nov 19, 2021
Author

First success!
After adding -no-xattr to the mksquashfs command it started to work.

test.sh

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)

mntdir_squashfuse=$dir/mntdir_squashfuse
tarfile=$dir/image.tar
untardir=$dir/untardir
squashfile=$dir/squashfile

mkdir $mntdir_squashfuse
mkdir $untardir

image=docker.io/library/alpine

podman export $(podman create $image) --output $tarfile
tar -xf $tarfile -C $untardir
mksquashfs $untardir $squashfile -no-xattrs -quiet -no-progress

squashfuse -o default_permissions $squashfile $mntdir_squashfuse
podman run \
         --security-opt label=disable \
         --rm \
         --sysctl net.ipv4.ping_group_range="0 0" \
         --rootfs $mntdir_squashfuse:O \
           echo success
fusermount -u $mntdir_squashfuse

run bash test.sh

$ bash test.sh
success
$

I guess it would be better not to disable xattr and also not to force a single UID (by untarring as a non-privileged user) but at least this is a start.

3 replies

eriksjolund Nov 20, 2021
Author

The script can be simplified by using the command sqfstar that converts tar to squashfs.

test2.sh

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)

mntdir_squashfuse=$dir/mntdir_squashfuse
squashfile=$dir/squashfile

mkdir $mntdir_squashfuse
image=docker.io/library/alpine

podman export $(podman create $image) | sqfstar \
     -quiet \
     -no-progress \
     -force-uid $(id -u) \
     -force-gid $(id -g) \
     -root-mode 555 \
     $squashfile

squashfuse -o default_permissions $squashfile $mntdir_squashfuse

podman run \
         --security-opt label=disable \
         --rm \
         --sysctl net.ipv4.ping_group_range="0 0" \
         --rootfs $mntdir_squashfuse:O \
           echo success

fusermount -u $mntdir_squashfuse

(I didn't have to add the command-line option -no-xattrs to sqfstar)

$ bash test2.sh
success
$

To avoid the command-line options -force-uid $(id -u) -force-gid $(id -g) -root-mode 555
I think a new squashfuse command-line option is needed
that would map the UIDs in the squashfs file to the user's subordinate UIDs.

eriksjolund Nov 20, 2021
Author

Here is an experiment that adds the option subid to libfuse
eriksjolund/libfuse@ddc949d

branch:
https://github.com/eriksjolund/libfuse/commits/add_subid_option

UIDs are mapped to the user's UID and the user's subordinate UIDs.
GIDs are mapped to the user's GID and the user's subordinate GIDs.

The library libsubid is used to retrieve the subordinate IDs for the user.

test-with-new-libfuse-option.sh

#!/bin/bash

set -o errexit
set -o nounset

dir=$(mktemp -d)

mntdir_squashfuse=$dir/mntdir_squashfuse
squashfile=$dir/squashfile

mkdir $mntdir_squashfuse
image=docker.io/library/alpine

podman export $(podman create $image) | sqfstar \
     -quiet \
     -no-progress \
     -root-mode 555 \
     $squashfile

squashfuse -o subid -o default_permissions $squashfile $mntdir_squashfuse

podman run \
         --rm \
         --rootfs $mntdir_squashfuse:O \
         /bin/sh -c "ls -l /etc/shadow /etc/alpine-release"

fusermount3 -u $mntdir_squashfuse

Run bash test-with-new-libfuse-option.sh

$ bash test-with-new-libfuse-option.sh
-rw-r--r--    1 root     root             7 Aug 27 11:05 /etc/alpine-release
-rw-r-----    1 root     shadow         422 Aug 27 11:05 /etc/shadow
$

The example shows two files that have different group ownership.

eriksjolund Nov 21, 2021
Author

Thinking a bit more about it. Instead of a new option subid, what probably is needed are
two new options subid_uidmap and subid_gidmap that both can be specified multiple times.
I guess they would be needed when the user for instance specifies --uidmap=, --gidmap= or --userns=keep-id to the command
podman run.

(Another thing: Oops I see that I hard-coded the username "testuser" in eriksjolund/libfuse@ddc949d)

rhatdan · 2021-11-19T19:17:14Z

rhatdan
Nov 19, 2021
Maintainer

Sure you should be able to untar inside of a user namespace and use multiple UIDs.

podman unshare untar ...

Xattrs will could effect setfcap
apps, but probably not much else.

0 replies

rhatdan · 2021-11-19T19:17:37Z

rhatdan
Nov 19, 2021
Maintainer

Once you get this done, it would probably make a good Blog.

1 reply

eriksjolund Nov 19, 2021
Author

Yes, I thought about writing something about it.

Another idea regarding this could be to try to run Singularity images

Quote fstype: Squashfs from
https://github.com/hpcng/sif/blob/97e1efd5744e3fd5a8bdb18169d312c387d885c9/pkg/sif/sif.go#L45

Probably there are some caveats but maybe it could work to some degree.

How to to use "--rootfs ./dir:O" when dir is a squashfuse mount point? #12146

Uh oh!

Uh oh!

eriksjolund Oct 31, 2021

Replies: 4 comments · 11 replies

Uh oh!

rhatdan Nov 1, 2021 Maintainer

Uh oh!

flouthoc Nov 2, 2021 Maintainer

Uh oh!

giuseppe Nov 2, 2021 Maintainer

Uh oh!

Uh oh!

eriksjolund Nov 2, 2021 Author

Uh oh!

eriksjolund Nov 7, 2021 Author

Test with rootfs from a normal squahfs mount (result: success)

Test with rootfs from a squashfuse mount (result: failure)

Comparing the mount directories

Uh oh!

eriksjolund Nov 14, 2021 Author

Uh oh!

eriksjolund Nov 19, 2021 Author

Uh oh!

Uh oh!

eriksjolund Nov 20, 2021 Author

Uh oh!

eriksjolund Nov 20, 2021 Author

Uh oh!

eriksjolund Nov 21, 2021 Author

Uh oh!

rhatdan Nov 19, 2021 Maintainer

Uh oh!

rhatdan Nov 19, 2021 Maintainer

Uh oh!

Uh oh!

eriksjolund Nov 19, 2021 Author

eriksjolund
Oct 31, 2021

Replies: 4 comments 11 replies

rhatdan
Nov 1, 2021
Maintainer

flouthoc Nov 2, 2021
Maintainer

giuseppe Nov 2, 2021
Maintainer

eriksjolund Nov 2, 2021
Author

eriksjolund Nov 7, 2021
Author

eriksjolund Nov 14, 2021
Author

eriksjolund
Nov 19, 2021
Author

eriksjolund Nov 20, 2021
Author

eriksjolund Nov 20, 2021
Author

eriksjolund Nov 21, 2021
Author

rhatdan
Nov 19, 2021
Maintainer

rhatdan
Nov 19, 2021
Maintainer

eriksjolund Nov 19, 2021
Author