WIP squashfs-mount rootless, mutable root, bind mount

[simonpintarelli]

• add mutable root option (following strace -f bwrap)
• make --sqfs optional (required for stackinator sandbox)
• add --bind-mount, --tmpfs
• use squashfuse instead of setuid
• if --mutable-root is given, non-existent mount points will be created. It's not checked if they reside in the mutable root, thus allows also to created directories in home.

1. unshare mnt ns, become fake-root
2. optional create mutable root
3. mount tmpfs
4. bind mounts
5. mount sqfs images

TODO: squashfuse is using autotools. Is it possible to write a meson wrapper and install it as subproject?

Benchmark

On daint login node, read a 200 MB binary blob (random numbers) from /dev/shm using dd if=/user-environment/random.bin of=/dev/null.

Curiously the squashfuse version is faster. Setuid squashfs-mount seems to have a high startup cost.

Rootless squashfs-mount

a) squashfs-mount [...] -- hyperfine

Benchmark 1: dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache
Time (mean ± σ):      47.2 ms ±   1.2 ms    [User: 1.3 ms, System: 23.3 ms]
Range (min … max):    44.8 ms …  49.6 ms    62 runs

Adding --mutable-root flag:

Benchmark 1: /capstor/scratch/cscs/simonpi/uenv2/builddir/squashfs-mount --mutable-root --sqfs /dev/shm/simonpi/archive.sqfs:/user-environment -- dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache
  Time (mean ± σ):      61.0 ms ±   3.5 ms    [User: 3.0 ms, System: 26.8 ms]
  Range (min … max):    58.7 ms …  84.0 ms    48 runs
 
  Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.

b) hyperfine "squashfs-mount [...]"

Benchmark 1: /capstor/scratch/cscs/simonpi/uenv2/builddir/squashfs-mount --sqfs /dev/shm/simonpi/archive.sqfs:/user-environment -- dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache
 Time (mean ± σ):      54.8 ms ±   1.2 ms    [User: 2.1 ms, System: 26.7 ms]
 Range (min … max):    52.5 ms …  58.5 ms    55 runs

Setuid squashfs-mount

a) squashfs-mount [...] -- hyperfine

[daint][simonpi@daint-ln001 ~]$ hyperfine --warmup 5 --style basic "dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache"
Benchmark 1: dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache
  Time (mean ± σ):      85.7 ms ±   0.4 ms    [User: 0.9 ms, System: 61.7 ms]
  Range (min … max):    84.7 ms …  86.2 ms    34 runs

b) hyperfine "squashfs-mount [...]"

[daint][simonpi@daint-ln001 ~]$ hyperfine --warmup 5 --style basic "/usr/bin/squashfs-mount /dev/shm/simonpi/archive.sqfs:/user-environment -- dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache"
Benchmark 1: /usr/bin/squashfs-mount /dev/shm/simonpi/archive.sqfs:/user-environment -- dd if=/user-environment/random.bin of=/dev/null bs=1M iflag=nocache
  Time (mean ± σ):     236.3 ms ±  14.3 ms    [User: 0.0 ms, System: 79.1 ms]
  Range (min … max):   198.8 ms … 249.0 ms    12 runs

[simonpintarelli]

unshare --mount --map-root-user true

gives

unshare: write failed /proc/self/uid_map: Operation not permitted

The CI needs a workaround.