On Tue, May 19, 2020 at 1:23 PM Johannes Schauer <jo...@debian.org> wrote: > > Hi, > > Quoting Shengjing Zhu (2020-05-19 05:35:23) > > >Your two sentences don't tell me what you'd like sbuild to do. In your > > >follow-up email please be specific about what you propose and why it would > > >be useful and an improvement over the status-quo. > > The second sentence is a possible implementation. Mounting an overlay needs > > privileged permission. But the beauty of the unshare backend is that it > > doesn't need privilege. So I just propose the fuse-overlayfs. > > even the unshare backend needs some privilege. To setup the unshared namespace > it needs newuidmap and newgidmap which are suid binaries and thus you briefly > work with root privileges (there already were two CVEs against these tools: > CVE-2016-6252 and CVE-2018-7169). > > Also, for fuse-overlayfs to make sense you need an *unpacked* rootfs > somewhere. > Creating this unpacked rootfs needs superuser privileges or otherwise the > ownership information will be all off. >
I'm not expert at this. But the fuse-overlayfs says it supports overlay+shiftfs. So I think you can create rootfs in a user namespace. I test it in a rootless container, and successfully debootstrap a rootfs and do an overlay mount. (Since I'm not sure how to use unshare and newuidmap/newgidmap, so I take a tool[1] which is similar to them) [1] https://github.com/rootless-containers/rootlesskit Below is my experiment. $ rootlesskit --net=host bash $ export container=lxc # just pretend as a contaner, so debootstrap doesn't fail $ debootstrap unstable ./rootfs/ http://127.0.0.1:3142/deb.debian.org/debian/ $ mkdir -p overlay/{upper,work,merged} $ fuse-overlayfs -o lowerdir=rootfs,upperdir=overlay/upper,workdir=overlay/work overlay/merged $ chroot overlay/merged/ $ touch a $ chown root:staff a $ ls -lh a -rw-r--r-- 1 root staff 0 May 19 06:10 a things like the group is kept as well. And on the host, I see $ ls -lh /<xxx>/overlay/upper/a -rw-r--r-- 1 zhsj 100049 0 May 19 14:10 /tmp/t/overlay/upper/a > So the advantage of using an overlay is: > > - faster than unpacking a tarball (which usually takes below 2 seconds) > > The disadvantage of using an overlay is: > > - root is needed to have the lowerdir unpacked somewhere In my experiment, it doesn't need root. > - if anything fails or gets killed, a stale mount is leftover > - additional dependencies > - fuse has to be setup (user must be in fuse group) I'm not sure, but I'm not in fuse group. $ id uid=1000(zhsj) gid=1000(zhsj) groups=1000(zhsj),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),101(systemd-journal),105(kvm),108(netdev),112(sbuild),113(docker),115(lpadmin),120(libvirt),997(mock) > - fuse is not available everywhere (for example inside containers, like > Debian > CI) > - more command line options + associated complexity > > Thanks! > > cheers, josch -- Shengjing Zhu