Comments (33)
yann-soubeyrand
commented on May 31, 2024
I forgot to mention that using Docker instead of Podman works as expected.
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
@giuseppe is this one of the bugs you fixed in fuse-overlay?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
I would bet it works well with root podman as well.
from fuse-overlayfs.
giuseppe
commented on May 31, 2024
I think this is already fixed, but the rpm didn't hit Stable yet. Could you try with https://bodhi.fedoraproject.org/updates/FEDORA-2019-ed81918b28 ?
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
@giuseppe how can I test this package safely on Silverblue ?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
@yann-soubeyrand I think you can download it and install it as a layered package using rpm-ostree.
I just tried it on Fedora 31 and the package installed correctly with the update fuse-overlayfs.
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
@rhatdan it won't mess with my underlying ostree when I'll remove the layered package?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
Nope, that is the way rpm-ostree layering works. They can update independently.
@cgwalters could explain further.
from fuse-overlayfs.
cgwalters
commented on May 31, 2024
This wouldn't be a layer but an override.
Run:
rpm-ostree override replace https://kojipkgs.fedoraproject.org//packages/fuse-overlayfs/0.5.2/3.git4dc60f0.fc30/x86_64/fuse-overlayfs-0.5.2-3.git4dc60f0.fc30.x86_64.rpm
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
Sorry wrong terminology. Thanks @cgwalters
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
It doesn't work either with fuse-overlayfs 0.5.2-3.git4dc60f0.fc30.
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
But indeed, it works with root podman.
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
Well maybe you are seeing something different, we don't see this issue with f30.
Are you sure you started a new container and did not just exec into an already running container under toolbox. I don't think the fuse_overlay would be changed in a running container.
Perhaps reboot after replacying the fuse-overlayfs, actually I think that is required on silverblue anyways.
from fuse-overlayfs.
giuseppe
commented on May 31, 2024
I think I know what is going on, it is an issue exposed by recently enabling FUSE writeback. Going to take a look at it
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
Are you sure you started a new container and did not just exec into an already running container under toolbox. I don't think the fuse_overlay would be changed in a running container.
I don't have toolbox any more as dnf upgrade crashed it. I did a podman run so I was in a brand new container ;-)
Perhaps reboot after replacying the fuse-overlayfs, actually I think that is required on silverblue anyways.
It's indeed mandatory to take the new ostree into account and I did it ;-)
@giuseppe Cool! Working on Silverblue without toolbox is a bit incapacitating :-D
from fuse-overlayfs.
mvala
commented on May 31, 2024
It is not fixed for me
[mvala@localhost ~]$ rpm -q fuse-overlayfs
fuse-overlayfs-0.6-2.git43b641d.fc30.x86_64
[mvala@localhost ~]$ podman run -ti --restart=no --rm fedora
[root@8810c24040b1 /]# dnf install jq -y
Fedora Modular 30 - x86_64 1.3 MB/s | 1.9 MB 00:01
Fedora Modular 30 - x86_64 - Updates 1.5 MB/s | 2.7 MB 00:01
Fedora 30 - x86_64 - Updates 5.2 MB/s | 23 MB 00:04
Fedora 30 - x86_64 4.8 MB/s | 61 MB 00:12
Last metadata expiration check: 0:00:01 ago on Tue Aug 27 05:48:55 2019.
Dependencies resolved.
===============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================
Installing:
jq x86_64 1.6-2.fc30 fedora 168 k
Installing dependencies:
oniguruma x86_64 6.9.2-2.fc30 updates 193 k
Transaction Summary
===============================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 361 k
Installed size: 1.2 M
Downloading Packages:
(1/2): jq-1.6-2.fc30.x86_64.rpm 667 kB/s | 168 kB 00:00
(2/2): oniguruma-6.9.2-2.fc30.x86_64.rpm 131 kB/s | 193 kB 00:01
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 117 kB/s | 361 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : oniguruma-6.9.2-2.fc30.x86_64 1/2
Error unpacking rpm package oniguruma-6.9.2-2.fc30.x86_64
Installing : jq-1.6-2.fc30.x86_64 2/2
error: unpacking of archive failed on file /usr/lib/.build-id/1c/7588d6da78dd5888d79f988ab594f6b5abeeb5;5d64c46a: cpio: utime
error: oniguruma-6.9.2-2.fc30.x86_64: install failed
Error unpacking rpm package jq-1.6-2.fc30.x86_64
Verifying : oniguruma-6.9.2-2.fc30.x86_64 1/2
Verifying : jq-1.6-2.fc30.x86_64 2/2
Failed:
oniguruma-6.9.2-2.fc30.x86_64 jq-1.6-2.fc30.x86_64
Error: Transaction failed
from fuse-overlayfs.
mvala
commented on May 31, 2024
Same with
[mvala@localhost ~]$ rpm -q fuse-overlayfs
fuse-overlayfs-0.6.1-2.gitc548530.fc30.x86_64
from fuse-overlayfs.
giuseppe
commented on May 31, 2024
It could be SELinux blocking it. Could you try again with SELinux disabled? We have fixed recently an issue like that, so you might need to update it
from fuse-overlayfs.
mvala
commented on May 31, 2024
Yes, with SELinux disabled it works. Will there be version with SELinux enabled?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
container-selinux-2.115.0-1.gitfddfbbb.fc30 is the latest available.
from fuse-overlayfs.
mvala
commented on May 31, 2024
Thanks, i still have container-selinux-2.113.0-1.dev.git4f7d6bb.fc30.noarch
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
114 should be in updates testing now, and might have the fix.
dnf -y update --enablerepo=updates-testing container-selinux
from fuse-overlayfs.
mvala
commented on May 31, 2024
I use silverblue and i don't know yet how to enable testing repo in rpm-ostree
from fuse-overlayfs.
cgwalters
commented on May 31, 2024
rpm-ostree rebase fedora/30/x86_64/testing/silverblue should work
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
Hi,
114 seems not to fix the bug: having container-selinux-2:2.114.0-1.git028ab00.fc30.noarch and fuse-overlayfs-0.6.1-2.gitc548530.fc30.x86_64 on Silverblue 30 and still hitting the bug.
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
Hi!
I went through the following steps.
- I rebased on testing:
[yann@work-laptop ~]$ rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree://fedora:fedora/30/x86_64/testing/silverblue
Version: 30.20190908.0 (2019-09-08T03:30:48Z)
BaseCommit: 03cd95bb0a3e7eab1823e35febdc88bae8d7b51dd171eb61a021f2557cf3df57
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: libvirt moby-engine qemu-kvm zsh
LocalPackages: google-chrome-stable-76.0.3809.132-1.x86_64
ostree://fedora:fedora/30/x86_64/silverblue
Version: 30.20190908.0 (2019-09-08T02:33:57Z)
BaseCommit: 13e2ec82239a3d864ad400f3f375dce06c73dd2bbfc2124ae0279ab5f6c849af
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: libvirt moby-engine qemu-kvm zsh
LocalPackages: google-chrome-stable-76.0.3809.132-1.x86_64
- I cleaned up things:
sudo rm -rf .local/share/containers/. - I created a fresh toolbox:
[yann@work-laptop ~]$ toolbox enter
No toolbox containers found. Create now? [y/N] y
Image required to create toolbox container.
Download registry.fedoraproject.org/f30/fedora-toolbox:30 (500MB)? [y/N]: y
- I tried to install jq from inside the toolbox:
⬢[yann@toolbox yann]$ sudo dnf install jq
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Fedora Modular 30 - x86_64 2.1 MB/s | 2.7 MB 00:01
Fedora Modular 30 - x86_64 - Updates 3.5 MB/s | 3.3 MB 00:00
Fedora 30 - x86_64 - Updates 6.2 MB/s | 20 MB 00:03 :00 ETA
Fedora 30 - x86_64 8.9 MB/s | 70 MB 00:07
Dependencies resolved.
===============================================================================
Package Architecture Version Repository Size
===============================================================================
Installing:
jq x86_64 1.6-2.fc30 fedora 168 k
Installing dependencies:
oniguruma x86_64 6.9.2-2.fc30 updates 193 k
Transaction Summary
===============================================================================
Install 2 Packages
Total download size: 361 k
Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): oniguruma-6.9.2-2.fc30.x86_64.rpm 1.7 MB/s | 193 kB 00:00
(2/2): jq-1.6-2.fc30.x86_64.rpm 1.3 MB/s | 168 kB 00:00
-------------------------------------------------------------------------------
Total 216 kB/s | 361 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : oniguruma-6.9.2-2.fc30.x86_64 1/2
Error unpacking rpm package oniguruma-6.9.2-2.fc30.x86_64
Installing : jq-1.6-2.fc30.x86_64 2/2
error: unpacking of archive failed on file /usr/lib/.build-id/1c/7588d6da78dd5888d79f988ab594f6b5abeeb5;5d74db39: cpio: utime
error: oniguruma-6.9.2-2.fc30.x86_64: install failed
Error unpacking rpm package jq-1.6-2.fc30.x86_64
Verifying : oniguruma-6.9.2-2.fc30.x86_64 1/2
Verifying : jq-1.6-2.fc30.x86_64 2/2
Failed:
oniguruma-6.9.2-2.fc30.x86_64 jq-1.6-2.fc30.x86_64
Error: Transaction failed
From the /var/log/audit/audit.log file, I get:
type=AVC msg=audit(1567939700.806:344): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
type=AVC msg=audit(1567939700.809:345): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
Did I miss something or is this bug still present?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
The AVC's indicate you need an updated version of container-selinux.
$ cat > /tmp/t
type=AVC msg=audit(1567939700.806:344): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
type=AVC msg=audit(1567939700.809:345): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
$ audit2allow -i /tmp/t
#============= container_runtime_t ==============
#!!!! This avc is allowed in the current policy
allow container_runtime_t self:lnk_file setattr;
$ rpm -q container-selinux
container-selinux-2.114.0-1.git028ab00.fc30.noarch
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
From the informations you gave above, I thought I had a fixed version:
[yann@work-laptop ~]$ rpm-ostree db list fedora:fedora/30/x86_64/testing/silverblue | grep container-selinux
container-selinux-2:2.116.0-1.gitc5ef5ac.fc30.noarch
Which version does contain the fix? And where can I install it from?
from fuse-overlayfs.
rhatdan
commented on May 31, 2024
It should be in that one, but I am wondering if it the modules is installed properly.
# rpm -qf /usr/share/selinux/packages/container.pp.bz2
container-selinux-2.114.0-1.git028ab00.fc30.noarch
# semodule -i /usr/share/selinux/packages/container.pp.bz2
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
OK, sudo semodule -i /usr/share/selinux/packages/container.pp.bz2 solves the problem, thanks.
Can you keep us updated in this issue when the fix hits Silverblue 30 testing then stable?
from fuse-overlayfs.
cgwalters
commented on May 31, 2024
Hm, you may have hit ostreedev/ostree#1026
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
@cgwalters OK, if I understand correctly, this bug is not going to be fixed soon as it's not trivial, right? Is there a manual way to fix it (other than manually loading the policy after each reboot)?
from fuse-overlayfs.
yann-soubeyrand
commented on May 31, 2024
Answering myself: semodule command solves the problem permanently, thanks a lot @rhatdan ;-)
from fuse-overlayfs.
Related Issues (20)
- hide overlapping paths HOT 2
- `tar: .: file changed as we read it` with `fuse-overlayfs` HOT 14
- debug help to indentify partial reads on readonly overlay
- kernel crash (task blocked) when using fuse-overlayfs on tmpfs HOT 2
- change fuse-overlayfs license to GPL2 HOT 35
- Calling fuse-overlayfs in a systemd user service fails to mount anything HOT 3
- Mount with fuse-overlayfs is about 7x slower than mount with /usr/bin/mount HOT 3
- wrong inode on entries read by readdir instead of readdirplus
- Unpredictable Behavior when Upperdir is also Mountpoint HOT 5
- Extraneous "/proc seems to be mounted as readonly, it can lead to unexpected failures" HOT 1
- cp's copy_file_range vs read-only files HOT 2
- chown -R on non-empty directory changes mtime
- overlay driver is very slow in podman-in-podman builds with large COPY layer HOT 6
- What are the Supported Options in fuse-overlayfs? HOT 1
- force_mask affects permissions inside container HOT 11
- touch: setting times of 'XXX' : No such file or directory
- mkdir with permissions 0555 fails HOT 6
- Make with Fuse 2 HOT 2
- Support running fuse-overlayfs without the open fds 0, 1 and 2
- Does fuse-overlayfs support a fuse filesystem as upperdir? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fuse-overlayfs.