8000 Checking EXT4_FS_SECURITY for overlay by bobrik · Pull Request #10418 · moby/moby · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Checking EXT4_FS_SECURITY for overlay #10418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 19, 2015
Merged

Checking EXT4_FS_SECURITY for overlay #10418

merged 1 commit into from
Feb 19, 2015

Conversation

bobrik
Copy link
Contributor
@bobrik bobrik commented Jan 28, 2015

strace:

[pid  8769] lgetxattr("/var/lib/docker/overlay/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/root", "security.capability" <unfinished ...>
[pid  8769] <... lgetxattr resumed> , 0xc2086c5b80, 128) = -1 EOPNOTSUPP (Operation not supported)

docker logs:

Error pulling image (latest) from busybox, operation not supported

I was running overlayfs on top of ext4.

cc @jfrazelle.

@jessfraz
Copy link
Contributor

LGTM

@tianon
Copy link
Member
tianon commented Jan 28, 2015

Are we sure that this really is only necessary for overlay users? Do we have an easy way to test that and make sure it's not necessary elsewhere? Also, what about people who aren't using ext4, but are still using overlay?

@jessfraz
Copy link
Contributor

hmm yes that is true I always forget about the other FS's

On Wed, Jan 28, 2015 at 11:24 AM, Tianon Gravi notifications@github.com
wrote:

Are we sure that this really is only necessary for overlay users? Do we
have an easy way to test that and make sure it's not necessary elsewhere?
Also, what about people who aren't using ext4, but are still using overlay
?


Reply to this email directly or view it on GitHub
#10418 (comment).

@bobrik
Copy link
Contributor Author
bobrik commented Jan 28, 2015

Maybe docker should warn about missing kernel features on start like it fails with overlay on top of btrfs. Even a little hint in error message would help a lot for systems where kernels are compiled from who knows what.

@unclejack
Copy link
Contributor

Based on unclejack/boot2docker@0108e1f, CONFIG_EXT4_FS_POSIX_ACL might also be required.

@unclejack
Copy link
Contributor

@bobrik Do you want to update this to include CONFIG_EXT4_FS_POSIX_ACL as well?

@bobrik
Checking EXT4_FS_SECURITY and EXT4_FS_POSIX_ACL for overlay
a6c6d8b 
Signed-off-by: Ian Babrou <ibobrik@gmail.com>
@bobrik bobrik force-pushed the overlay-kernel-checks branch from 2228ae2 to a6c6d8b Compare February 5, 2015 14:41
@bobrik
Copy link
Contributor Author
bobrik commented Feb 5, 2015

@unclejack updated!

@unclejack
Copy link
Contributor

@bobrik Thank you!

LGTM

@jessfraz
Copy link
Contributor
jessfraz commented Feb 6, 2015

ping @tianon

@tianon
Copy link
Member
tianon commented Feb 9, 2015

Are we sure that this really is only necessary for overlay users? Do we have an easy way to test that and make sure it's not necessary elsewhere? Also, what about people who aren't using ext4, but are still using overlay?

I'm still not sure I'm 100% comfortable with hard-coding EXT4 bits in our check-config script as "required" no matter which FS you're using underneath. It's a reasonable assumption right now, but likely won't continue to be.

Any ideas for how we can reconcile this sanely, @jfrazelle? 😞

@unclejack
Copy link
Contributor

@tianon ext4 is a file system known to work with overlay. Perhaps these flags could be listed for each file system? (e.g. overlay+ext4 -> all deps are there, overlay+xfs -> missing xfs config option and so on)

@tianon
Copy link
Member
tianon commented Feb 9, 2015

Do we have anyone testing graph drivers on XFS right now?

So, you're thinking something like this, right?

- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
      (note that some kernels include AUFS patches but not the AUFS_FS flag)
    - ext4:
      - CONFIG_EXT4_FS_POSIX_ACL: enabled
      - CONFIG_EXT4_FS_SECURITY: enabled
    - xfs:
      - CONFIG_XFS_...: missing
 ...

@unclejack
Copy link
Contributor

@tianon Yes, that's what I had in mind. I'm not sure what's the status for overlay on xfs in the kernel or if it needs some special options, but I know there are a lot of people waiting to use overlay on xfs.

Having those file systems written down with their names also sends a clear message: these are the file systems you need for overlay, everything else might not work and might eat your data TM.

edit: devicemapper also works with xfs, so that's something to keep in mind. We probably want to do same thing there as well and have a shared function for this file system feature checking code to use in both places.

@tianon
Copy link
Member
tianon commented Feb 9, 2015 via email

8000
@jessfraz
Copy link
Contributor

soooo what was the verdict here?

@jessfraz
Copy link
Contributor

oh nm it became a discussion of xfs so merging

jessfraz pushed a commit that referenced this pull request Feb 19, 2015
Merge pull request #10418 from bobrik/overlay-kernel-checks
55566f2 
Checking EXT4_FS_SECURITY for overlay
@jessfraz jessfraz merged commit 55566f2 into moby:master Feb 19, 2015
@SvenDowideit SvenDowideit mentioned this pull request Feb 26, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/storage/overlay
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bobrik @jessfraz @tianon @unclejack @dmp42
0