pkg/archive: support overlayfs in userns (Ubuntu kernel only)

[AkihiroSuda]

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

- What I did

Ubuntu kernel supports overlayfs in user namespaces.

However, Docker had previously crafting overlay opaques directly
using mknod(2) and setxattr(2), which are not supported in userns.

This PR allows pkg/archive to craft opaques by creating overlayfs rather than mknod/setxattr.

Tested with LXD, Ubuntu 18.04, kernel 4.15.0-36-generic #39-Ubuntu.

Cherry-picked from Usernetes patch set: https://github.com/rootless-containers/usernetes

- How I did it

mknod c 0 0:

• Mkdir lower,upper,merged,work
• Create lower/dummy
• Mount overlayfs
• Unlink merged/dummy
• Unmount overlayfs
• The 0,0 character node is ready as upper/dummy

mkdir with trusted.overlay.opaque xattr:

• Mkdir lower,upper,merged,work
• Mkdir lower/dummy
• Mount overlayfs
• Rmdir merged/dummy
• Mkdir merged/dummy
• Unmount overlayfs
• The dir with trusted.overlay.opaque xattr is ready as upper/dummy

- How to verify it

• Set up Ubuntu 18.04 host
• Create Docker-in-LXD environment ( https://gist.github.com/AkihiroSuda/772604c6895d5ced5357e5dcc154be22 )
• Make sure overlay2 is selected as the storage driver (docker info)
• docker pull ubuntu

Without patch, docker pull ubuntu fails as follows:

root@c0:~# docker version
Client:
 Version:           master-dockerproject-2018-10-14
 API version:       1.39
 Go version:        go1.11.1
 Git commit:        d18aad38
 Built:             Sun Oct 14 23:42:14 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          master-dockerproject-2018-10-14
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.1
  Git commit:       ee6fc90
  Built:            Sun Oct 14 23:51:03 2018
  OS/Arch:          linux/amd64
  Experimental:     false
root@c0:~# docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
124c757242f8: Pull complete 
9d866f8bde2a: Pull complete 
fa3f2f277e67: Extracting [==================================================>]     469B/469B
398d32b153e8: Download complete 
afde35469481: Download complete 
failed to register layer: Error processing tar file(exit status 1): operation not permitted

- Description for the changelog

pkg/archive: support overlayfs in userns (Ubuntu kernel only)

- A picture of a cute animal (not mandatory but encouraged)
🐧

[AkihiroSuda]

cc @brauner @stgraber @dmcgowan

[AkihiroSuda]

also cc @dhiltonp

[estesp]

Looks good @AkihiroSuda; windows CI failure looks to be a teardown test flake; unrelated to changes

[cpuguy83]

I haven't validated this yet, but just a minor comment on the code.

[cpuguy83]

Instead of the if/else here, could we have a wrapper for the userns case that catches the error and handles accordingly?

[AkihiroSuda]

Could you be more specific?

[cpuguy83]

I was thinking we could just wrap ConverRead with something like if err := c.wrapped.ConvertRead(...); err != nil && c.isInUserNS {...}

But looking back now, I think that may not be all that clean.

[thaJeztah]

/cc @dmcgowan @tonistiigi

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@6e3113f). Click here to learn what that means.
The diff coverage is 8.82%.

@@            Coverage Diff            @@
##             master   #38038   +/-   ##
=========================================
  Coverage          ?   36.53%           
=========================================
  Files             ?      610           
  Lines             ?    45371           
  Branches          ?        0           
=========================================
  Hits              ?    16575           
  Misses            ?    26467           
  Partials          ?     2329

[thaJeztah]

(only glancing over the code); It's not an exported function, so not a big deal; just thinking if it would be cleaner to pass the options struct, instead of adding a boolean

[AkihiroSuda]

What would be other fields of options?

[thaJeztah]

not sure 😅 . My train of thought was that in case more options appeared in future, we didn't have to change the signature

[thaJeztah]

ping @cpuguy83 @dmcgowan @tonistiigi PTAL

[AkihiroSuda]

ping @cpuguy83 @dmcgowan @tonistiigi

[cpuguy83]

This seems sane. Is there a good way we can add this to the test suite?

[AkihiroSuda]

As this is Ubuntu-specific and planned to be deprecated in favor of containerd overlay snapshotter, I think manual testing is ok for now

[cpuguy83]

IMO, if it's not worth adding tests for it's not worth merging.

[AkihiroSuda]

Added TestReexecUserNSOverlayWhiteoutConverter.

The test passed locally on Ubuntu 18.04.1, kernel 4.15.0-39-generic #42-Ubuntu

[AkihiroSuda]

The PR now contains commit from #38292 so that the PR can be tested on recent kernels.

[cpuguy83]

I'm sure I don't know what this is doing, but why do we mention v3 and set 2 here, and then check 2 later?

[AkihiroSuda]

2 is just a filename and had nothing to do with the version

[cpuguy83]

LGTM

[AkihiroSuda]

rebased the PR, as #38292 got merged

@dmcgowan PTAL?

[AkihiroSuda]

@cpuguy83 @tonistiigi @dmcgowan mergeable?

[AkihiroSuda]

ping @cpuguy83 @tonistiigi @dmcgowan

[vdemeester]

LGTM 🐯

[thaJeztah]

@dmcgowan let us know if there's any changes needed after-the-fact 🤗