Comments (33)
I forgot to mention that using Docker instead of Podman works as expected.
from fuse-overlayfs.
@giuseppe is this one of the bugs you fixed in fuse-overlay?
from fuse-overlayfs.
I would bet it works well with root podman as well.
from fuse-overlayfs.
I think this is already fixed, but the rpm didn't hit Stable yet. Could you try with https://bodhi.fedoraproject.org/updates/FEDORA-2019-ed81918b28 ?
from fuse-overlayfs.
@giuseppe how can I test this package safely on Silverblue ?
from fuse-overlayfs.
@yann-soubeyrand I think you can download it and install it as a layered package using rpm-ostree.
I just tried it on Fedora 31 and the package installed correctly with the update fuse-overlayfs.
from fuse-overlayfs.
@rhatdan it won't mess with my underlying ostree when I'll remove the layered package?
from fuse-overlayfs.
Nope, that is the way rpm-ostree layering works. They can update independently.
@cgwalters could explain further.
from fuse-overlayfs.
This wouldn't be a layer but an override.
Run:
rpm-ostree override replace https://kojipkgs.fedoraproject.org//packages/fuse-overlayfs/0.5.2/3.git4dc60f0.fc30/x86_64/fuse-overlayfs-0.5.2-3.git4dc60f0.fc30.x86_64.rpm
from fuse-overlayfs.
Sorry wrong terminology. Thanks @cgwalters
from fuse-overlayfs.
It doesn't work either with fuse-overlayfs 0.5.2-3.git4dc60f0.fc30.
from fuse-overlayfs.
But indeed, it works with root podman.
from fuse-overlayfs.
Well maybe you are seeing something different, we don't see this issue with f30.
Are you sure you started a new container and did not just exec into an already running container under toolbox. I don't think the fuse_overlay would be changed in a running container.
Perhaps reboot after replacying the fuse-overlayfs, actually I think that is required on silverblue anyways.
from fuse-overlayfs.
I think I know what is going on, it is an issue exposed by recently enabling FUSE writeback. Going to take a look at it
from fuse-overlayfs.
Are you sure you started a new container and did not just exec into an already running container under toolbox. I don't think the fuse_overlay would be changed in a running container.
I don't have toolbox any more as dnf upgrade crashed it. I did a podman run so I was in a brand new container ;-)
Perhaps reboot after replacying the fuse-overlayfs, actually I think that is required on silverblue anyways.
It's indeed mandatory to take the new ostree into account and I did it ;-)
@giuseppe Cool! Working on Silverblue without toolbox is a bit incapacitating :-D
from fuse-overlayfs.
It is not fixed for me
[mvala@localhost ~]$ rpm -q fuse-overlayfs
fuse-overlayfs-0.6-2.git43b641d.fc30.x86_64
[mvala@localhost ~]$ podman run -ti --restart=no --rm fedora
[root@8810c24040b1 /]# dnf install jq -y
Fedora Modular 30 - x86_64 1.3 MB/s | 1.9 MB 00:01
Fedora Modular 30 - x86_64 - Updates 1.5 MB/s | 2.7 MB 00:01
Fedora 30 - x86_64 - Updates 5.2 MB/s | 23 MB 00:04
Fedora 30 - x86_64 4.8 MB/s | 61 MB 00:12
Last metadata expiration check: 0:00:01 ago on Tue Aug 27 05:48:55 2019.
Dependencies resolved.
===============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================
Installing:
jq x86_64 1.6-2.fc30 fedora 168 k
Installing dependencies:
oniguruma x86_64 6.9.2-2.fc30 updates 193 k
Transaction Summary
===============================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 361 k
Installed size: 1.2 M
Downloading Packages:
(1/2): jq-1.6-2.fc30.x86_64.rpm 667 kB/s | 168 kB 00:00
(2/2): oniguruma-6.9.2-2.fc30.x86_64.rpm 131 kB/s | 193 kB 00:01
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 117 kB/s | 361 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : oniguruma-6.9.2-2.fc30.x86_64 1/2
Error unpacking rpm package oniguruma-6.9.2-2.fc30.x86_64
Installing : jq-1.6-2.fc30.x86_64 2/2
error: unpacking of archive failed on file /usr/lib/.build-id/1c/7588d6da78dd5888d79f988ab594f6b5abeeb5;5d64c46a: cpio: utime
error: oniguruma-6.9.2-2.fc30.x86_64: install failed
Error unpacking rpm package jq-1.6-2.fc30.x86_64
Verifying : oniguruma-6.9.2-2.fc30.x86_64 1/2
Verifying : jq-1.6-2.fc30.x86_64 2/2
Failed:
oniguruma-6.9.2-2.fc30.x86_64 jq-1.6-2.fc30.x86_64
Error: Transaction failed
from fuse-overlayfs.
Same with
[mvala@localhost ~]$ rpm -q fuse-overlayfs
fuse-overlayfs-0.6.1-2.gitc548530.fc30.x86_64
from fuse-overlayfs.
It could be SELinux blocking it. Could you try again with SELinux disabled? We have fixed recently an issue like that, so you might need to update it
from fuse-overlayfs.
Yes, with SELinux disabled it works. Will there be version with SELinux enabled?
from fuse-overlayfs.
container-selinux-2.115.0-1.gitfddfbbb.fc30 is the latest available.
from fuse-overlayfs.
Thanks, i still have container-selinux-2.113.0-1.dev.git4f7d6bb.fc30.noarch
from fuse-overlayfs.
114 should be in updates testing now, and might have the fix.
dnf -y update --enablerepo=updates-testing container-selinux
from fuse-overlayfs.
I use silverblue and i don't know yet how to enable testing repo in rpm-ostree
from fuse-overlayfs.
rpm-ostree rebase fedora/30/x86_64/testing/silverblue
should work
from fuse-overlayfs.
Hi,
114 seems not to fix the bug: having container-selinux-2:2.114.0-1.git028ab00.fc30.noarch and fuse-overlayfs-0.6.1-2.gitc548530.fc30.x86_64 on Silverblue 30 and still hitting the bug.
from fuse-overlayfs.
Hi!
I went through the following steps.
- I rebased on testing:
[yann@work-laptop ~]$ rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree://fedora:fedora/30/x86_64/testing/silverblue
Version: 30.20190908.0 (2019-09-08T03:30:48Z)
BaseCommit: 03cd95bb0a3e7eab1823e35febdc88bae8d7b51dd171eb61a021f2557cf3df57
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: libvirt moby-engine qemu-kvm zsh
LocalPackages: google-chrome-stable-76.0.3809.132-1.x86_64
ostree://fedora:fedora/30/x86_64/silverblue
Version: 30.20190908.0 (2019-09-08T02:33:57Z)
BaseCommit: 13e2ec82239a3d864ad400f3f375dce06c73dd2bbfc2124ae0279ab5f6c849af
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: libvirt moby-engine qemu-kvm zsh
LocalPackages: google-chrome-stable-76.0.3809.132-1.x86_64
- I cleaned up things:
sudo rm -rf .local/share/containers/
. - I created a fresh toolbox:
[yann@work-laptop ~]$ toolbox enter
No toolbox containers found. Create now? [y/N] y
Image required to create toolbox container.
Download registry.fedoraproject.org/f30/fedora-toolbox:30 (500MB)? [y/N]: y
- I tried to install jq from inside the toolbox:
⬢[yann@toolbox yann]$ sudo dnf install jq
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Fedora Modular 30 - x86_64 2.1 MB/s | 2.7 MB 00:01
Fedora Modular 30 - x86_64 - Updates 3.5 MB/s | 3.3 MB 00:00
Fedora 30 - x86_64 - Updates 6.2 MB/s | 20 MB 00:03 :00 ETA
Fedora 30 - x86_64 8.9 MB/s | 70 MB 00:07
Dependencies resolved.
===============================================================================
Package Architecture Version Repository Size
===============================================================================
Installing:
jq x86_64 1.6-2.fc30 fedora 168 k
Installing dependencies:
oniguruma x86_64 6.9.2-2.fc30 updates 193 k
Transaction Summary
===============================================================================
Install 2 Packages
Total download size: 361 k
Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): oniguruma-6.9.2-2.fc30.x86_64.rpm 1.7 MB/s | 193 kB 00:00
(2/2): jq-1.6-2.fc30.x86_64.rpm 1.3 MB/s | 168 kB 00:00
-------------------------------------------------------------------------------
Total 216 kB/s | 361 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : oniguruma-6.9.2-2.fc30.x86_64 1/2
Error unpacking rpm package oniguruma-6.9.2-2.fc30.x86_64
Installing : jq-1.6-2.fc30.x86_64 2/2
error: unpacking of archive failed on file /usr/lib/.build-id/1c/7588d6da78dd5888d79f988ab594f6b5abeeb5;5d74db39: cpio: utime
error: oniguruma-6.9.2-2.fc30.x86_64: install failed
Error unpacking rpm package jq-1.6-2.fc30.x86_64
Verifying : oniguruma-6.9.2-2.fc30.x86_64 1/2
Verifying : jq-1.6-2.fc30.x86_64 2/2
Failed:
oniguruma-6.9.2-2.fc30.x86_64 jq-1.6-2.fc30.x86_64
Error: Transaction failed
From the /var/log/audit/audit.log file, I get:
type=AVC msg=audit(1567939700.806:344): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
type=AVC msg=audit(1567939700.809:345): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
Did I miss something or is this bug still present?
from fuse-overlayfs.
The AVC's indicate you need an updated version of container-selinux.
$ cat > /tmp/t
type=AVC msg=audit(1567939700.806:344): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
type=AVC msg=audit(1567939700.809:345): avc: denied { setattr } for pid=11197 comm="fuse-overlayfs" name="273" dev="proc" ino=141291 scontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=lnk_file permissive=0
$ audit2allow -i /tmp/t
#============= container_runtime_t ==============
#!!!! This avc is allowed in the current policy
allow container_runtime_t self:lnk_file setattr;
$ rpm -q container-selinux
container-selinux-2.114.0-1.git028ab00.fc30.noarch
from fuse-overlayfs.
From the informations you gave above, I thought I had a fixed version:
[yann@work-laptop ~]$ rpm-ostree db list fedora:fedora/30/x86_64/testing/silverblue | grep container-selinux
container-selinux-2:2.116.0-1.gitc5ef5ac.fc30.noarch
Which version does contain the fix? And where can I install it from?
from fuse-overlayfs.
It should be in that one, but I am wondering if it the modules is installed properly.
# rpm -qf /usr/share/selinux/packages/container.pp.bz2
container-selinux-2.114.0-1.git028ab00.fc30.noarch
# semodule -i /usr/share/selinux/packages/container.pp.bz2
from fuse-overlayfs.
OK, sudo semodule -i /usr/share/selinux/packages/container.pp.bz2
solves the problem, thanks.
Can you keep us updated in this issue when the fix hits Silverblue 30 testing then stable?
from fuse-overlayfs.
Hm, you may have hit ostreedev/ostree#1026
from fuse-overlayfs.
@cgwalters OK, if I understand correctly, this bug is not going to be fixed soon as it's not trivial, right? Is there a manual way to fix it (other than manually loading the policy after each reboot)?
from fuse-overlayfs.
Answering myself: semodule command solves the problem permanently, thanks a lot @rhatdan ;-)
from fuse-overlayfs.
Related Issues (20)
- hide overlapping paths HOT 2
- `tar: .: file changed as we read it` with `fuse-overlayfs` HOT 14
- debug help to indentify partial reads on readonly overlay
- kernel crash (task blocked) when using fuse-overlayfs on tmpfs HOT 2
- change fuse-overlayfs license to GPL2 HOT 35
- Calling fuse-overlayfs in a systemd user service fails to mount anything HOT 3
- Mount with fuse-overlayfs is about 7x slower than mount with /usr/bin/mount HOT 3
- wrong inode on entries read by readdir instead of readdirplus
- Unpredictable Behavior when Upperdir is also Mountpoint HOT 5
- Extraneous "/proc seems to be mounted as readonly, it can lead to unexpected failures" HOT 1
- cp's copy_file_range vs read-only files HOT 2
- chown -R on non-empty directory changes mtime
- overlay driver is very slow in podman-in-podman builds with large COPY layer HOT 6
- What are the Supported Options in fuse-overlayfs? HOT 1
- force_mask affects permissions inside container HOT 11
- touch: setting times of 'XXX' : No such file or directory
- mkdir with permissions 0555 fails HOT 6
- Make with Fuse 2 HOT 2
- Support running fuse-overlayfs without the open fds 0, 1 and 2
- Does fuse-overlayfs support a fuse filesystem as upperdir? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fuse-overlayfs.