On Tue, May 19, 2020 at 1:23 PM Johannes Schauer <jo...@debian.org> wrote:
>
> Hi,
>
> Quoting Shengjing Zhu (2020-05-19 05:35:23)
> > >Your two sentences don't tell me what you'd like sbuild to do. In your
> > >follow-up email please be specific about what you propose and why it would
> > >be useful and an improvement over the status-quo.
> > The second sentence is a possible implementation. Mounting an overlay needs
> > privileged permission.  But the beauty of the unshare backend is that it
> > doesn't need privilege. So I just propose the fuse-overlayfs.
>
> even the unshare backend needs some privilege. To setup the unshared namespace
> it needs newuidmap and newgidmap which are suid binaries and thus you briefly
> work with root privileges (there already were two CVEs against these tools:
> CVE-2016-6252 and CVE-2018-7169).
>
> Also, for fuse-overlayfs to make sense you need an *unpacked* rootfs 
> somewhere.
> Creating this unpacked rootfs needs superuser privileges or otherwise the
> ownership information will be all off.
>

I'm not expert at this. But the fuse-overlayfs says it supports
overlay+shiftfs. So I think you can create rootfs in a user namespace.

I test it in a rootless container, and successfully debootstrap a
rootfs and do an overlay mount.
(Since I'm not sure how to use unshare and newuidmap/newgidmap, so I
take a tool[1] which is similar to them)

[1] https://github.com/rootless-containers/rootlesskit

Below is my experiment.

$ rootlesskit --net=host bash
$ export container=lxc # just pretend as a contaner, so debootstrap doesn't fail
$ debootstrap unstable ./rootfs/ http://127.0.0.1:3142/deb.debian.org/debian/
$ mkdir -p overlay/{upper,work,merged}
$ fuse-overlayfs -o
lowerdir=rootfs,upperdir=overlay/upper,workdir=overlay/work
overlay/merged
$ chroot overlay/merged/
$ touch a
$ chown root:staff a
$ ls -lh a
-rw-r--r-- 1 root staff 0 May 19 06:10 a

things like the group is kept as well.

And on the host, I see
$ ls -lh /<xxx>/overlay/upper/a
-rw-r--r-- 1 zhsj 100049 0 May 19 14:10 /tmp/t/overlay/upper/a

> So the advantage of using an overlay is:
>
>  - faster than unpacking a tarball (which usually takes below 2 seconds)
>
> The disadvantage of using an overlay is:
>
>  - root is needed to have the lowerdir unpacked somewhere

In my experiment, it doesn't need root.

>  - if anything fails or gets killed, a stale mount is leftover
>  - additional dependencies
>  - fuse has to be setup (user must be in fuse group)

I'm not sure, but I'm not in fuse group.
$ id
uid=1000(zhsj) gid=1000(zhsj)
groups=1000(zhsj),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),101(systemd-journal),105(kvm),108(netdev),112(sbuild),113(docker),115(lpadmin),120(libvirt),997(mock)


>  - fuse is not available everywhere (for example inside containers, like 
> Debian
>    CI)
>  - more command line options + associated complexity
>
> Thanks!
>
> cheers, josch


--
Shengjing Zhu

Reply via email to