Hi folks, Thanks for pulling me in.
On Sun, Jan 9, 2022 at 11:15 PM Reinhard Tartler <siret...@gmail.com> wrote: > Control: reassign -1 storage-common > Control: affects -1 podman > > Hi Philip, > > Thank you for your bug report. I'll defer to our overlay expert, Giuseppe. > > The Debian equivalent to Fedora's package 'containers-common' has the same > name in debian, and does ship a 'storage.conf' file in > /usr/share/containers/storage.conf. This is so that the local administrator > can copy it to /etc/containers/storage.conf and do local modifications. The > Debian package copies the storage.conf from the upstream source verbatim. > As you can see at > https://github.com/containers/storage/blob/375f77c66685b14fc580daad2dc6df607fb86dee/storage.conf#L95, > the mount option 'metacopy=on' is missing even upstream. > > I am not sure why the Fedora package decided to patch the configuration > file -- I couldn't find a comment in the .src.rpm that you linked. Also, > looking at the kernel documentation you provided, it seems your concerns > re: security are justified, and the option seems to have significant > security implications: > > Do not use metacopy=on with untrusted upper/lower directories. Otherwise >> it is possible that an attacker can create a handcrafted file with >> appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower >> pointed by REDIRECT. This should not be possible on local system as setting >> “trusted.” xattrs will require CAP_SYS_ADMIN. But it should be possible for >> untrusted layers like from a pen drive. > > > I'm not sure whether enabling it by default is a good idea. I need to > think more about this. > @Giuseppe Scrivano <gscri...@redhat.com> what do you think? > I'd also appreciate hearing additional opinions on this, and have copied > some friends from podman upstream. Do you happen to know what's the > background / thinking in Fedora with enabling the option metacopy=on? > > Happy New Year! > > -rt > > > On Sun, Jan 2, 2022 at 9:51 AM Philip <phi...@kellnerweg.de> wrote: > >> Package: podman >> Version: 3.0.1+dfsg1-3+b2 >> Severity: wishlist >> >> Dear Maintainer, >> >> I had some problems running the dockerized version of the Unifi >> controller jacobalberty/unifi-docker >> with podman on Debian. >> On a Fedora system, starting the container only takes a few seconds. >> On a Debian system, it can take about 5 minutes. >> >> The reason is that on the Fedora system the mount-option metacopy=on >> (see [1] for this mount option) is set for the container overlayfs via a >> default /etc/containers/storage.conf. >> That makes quite the difference for this specific image because it does a >> `chown unifi:unifi /usr/lib/unifi` during startup. >> chown-ing these 6k files is fast with metacopy=on (on Fedora). >> Without the option (on Debian), I think the files will be copied instead >> of only their metadata, making it rather slow. >> >> So the solution for me was to copy /etc/containers/storage.conf from a >> Fedora system. If anyone has a similar problem, the file can be extracted >> from the >> src rpm of the containers-common package which can be downloaded at [2]. >> >> IMO it would be useful if Debian would also include a default >> /etc/containers/storage.conf. >> Thanks for considering this! >> However I'm not sure if metacopy=on is a good idea from a security >> perspective. >> >> Best >> Philip >> >> -- System Information: >> Debian Release: 11.2 >> APT prefers stable-updates >> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, >> 'stable') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 5.10.0-10-amd64 (SMP w/2 CPU threads) >> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), >> LANGUAGE=en_US:en >> Shell: /bin/sh linked to /usr/bin/dash >> Init: systemd (via /run/systemd/system) >> LSM: AppArmor: enabled >> >> Versions of packages podman depends on: >> ii conmon 2.0.25+ds1-1.1 >> ii containernetworking-plugins 0.9.0-1+b6 >> ii crun 0.17+dfsg-1 >> ii golang-github-containers-common 0.33.4+ds1-1 >> ii init-system-helpers 1.60 >> ii iptables 1.8.7-1 >> ii libc6 2.31-13+deb11u2 >> ii libdevmapper1.02.1 2:1.02.175-2.1 >> ii libgpgme11 1.14.0-1+b2 >> ii libseccomp2 2.5.1-1+deb11u1 >> >> Versions of packages podman recommends: >> ii buildah 1.19.6+dfsg1-1+b6 >> ii catatonit 0.1.5-2 >> ii fuse-overlayfs 1.4.0-1 >> ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7 >> ii slirp4netns 1.0.1-2 >> ii uidmap 1:4.8.1-1 >> >> Versions of packages podman suggests: >> pn containers-storage <none> >> pn docker-compose <none> >> >> -- no debconf information >> >> >> [1]: >> https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#metadata-only-copy-up >> [2]: >> https://kojipkgs.fedoraproject.org//packages/containers-common/1/32.fc35/src/containers-common-1-32.fc35.src.rpm >> >> > > -- > regards, > Reinhard >
