Re: [bisected] Re: docker overlay support broken post v4.8

Vivek Goyal <vgoyal@xxxxxxxxxx> · Thu, 13 Oct 2016 17:16:11 -0400

On Thu, Oct 13, 2016 at 04:38:23PM -0400, CAI Qian wrote:
> 
> 
> ----- Original Message -----
> > From: "CAI Qian" <caiqian@xxxxxxxxxx>
> > Sent: Wednesday, October 12, 2016 9:54:52 AM
> > Subject: docker overlay support broken post v4.8
> > 
> > Some patches went into the 4.9 merge window broke docker overlay support even
> > with
> > selinux disabled (setenforce 0).
> > 
> > # docker run -it fedora bash
> > /usr/bin/docker-latest: Error response from daemon: error creating overlay
> > mount to
> > /var/lib/docker-latest/overlay/8ffc75b527de2863daef50a7c88a382b84953a0d40f49c40d2a9f504d9e8123c-init/merged:
> > operation not supported.
> > See '/usr/bin/docker-latest run --help'.
> > 
> > This message splits in the console.
> > [61250.857832] SELinux: (dev overlay, type overlay) has no xattr support
> Reverted the patchset of "Xattr inode operation removal" against the latest mainline
> fixed the problem, i.e., commits below in order.
> 
> fd50ecaddf8372a1d96e0daeaac0f93cf04e4d42
> 6c6ef9f26e598fb977f60935e109cd5b266c941a
> bf3ee71363c0b44acb62f375aea470262ac4210a
> 5d6c31910bc0713e37628dc0ce677dcb13c8ccf4
> f5c244383725a6de06bc62fa7c54c0ea0d942eec
> 5f6e59ae8277cef221fdbf9b12f0c4f80db59944
> d0a5b995a308347fdb1bb0412df32acd0312523b

Looking at selinux code, it seems to be coming from following code.
Looks like in case of overlay inode, we are not setting
IOP_XATTR?

Vivek

sb_finish_set_opts()

        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
                /* Make sure that the xattr handler exists and that no
                   error other than -ENODATA is returned by getxattr on
                   the root directory.  -ENODATA is ok, as this may be
                   the first boot of the SELinux kernel before we have
                   assigned xattr values to the filesystem. */
                if (!(root_inode->i_opflags & IOP_XATTR)) {
                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
                               "xattr support\n", sb->s_id, sb->s_type->name);
                        rc = -EOPNOTSUPP;
                        goto out;
                }
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html