Re: [bisected] Re: docker overlay support broken post v4.8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Oct 13, 2016 at 05:16:11PM -0400, Vivek Goyal wrote:
> On Thu, Oct 13, 2016 at 04:38:23PM -0400, CAI Qian wrote:
> > 
> > 
> > ----- Original Message -----
> > > From: "CAI Qian" <caiqian@xxxxxxxxxx>
> > > Sent: Wednesday, October 12, 2016 9:54:52 AM
> > > Subject: docker overlay support broken post v4.8
> > > 
> > > Some patches went into the 4.9 merge window broke docker overlay support even
> > > with
> > > selinux disabled (setenforce 0).
> > > 
> > > # docker run -it fedora bash
> > > /usr/bin/docker-latest: Error response from daemon: error creating overlay
> > > mount to
> > > /var/lib/docker-latest/overlay/8ffc75b527de2863daef50a7c88a382b84953a0d40f49c40d2a9f504d9e8123c-init/merged:
> > > operation not supported.
> > > See '/usr/bin/docker-latest run --help'.
> > > 
> > > This message splits in the console.
> > > [61250.857832] SELinux: (dev overlay, type overlay) has no xattr support
> > Reverted the patchset of "Xattr inode operation removal" against the latest mainline
> > fixed the problem, i.e., commits below in order.
> > 
> > fd50ecaddf8372a1d96e0daeaac0f93cf04e4d42
> > 6c6ef9f26e598fb977f60935e109cd5b266c941a
> > bf3ee71363c0b44acb62f375aea470262ac4210a
> > 5d6c31910bc0713e37628dc0ce677dcb13c8ccf4
> > f5c244383725a6de06bc62fa7c54c0ea0d942eec
> > 5f6e59ae8277cef221fdbf9b12f0c4f80db59944
> > d0a5b995a308347fdb1bb0412df32acd0312523b
> 
> Looking at selinux code, it seems to be coming from following code.
> Looks like in case of overlay inode, we are not setting
> IOP_XATTR?
> 
> Vivek
> 
> sb_finish_set_opts()
>  
>         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
>                 /* Make sure that the xattr handler exists and that no
>                    error other than -ENODATA is returned by getxattr on
>                    the root directory.  -ENODATA is ok, as this may be
>                    the first boot of the SELinux kernel before we have
>                    assigned xattr values to the filesystem. */
>                 if (!(root_inode->i_opflags & IOP_XATTR)) {
>                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
>                                "xattr support\n", sb->s_id, sb->s_type->name);
>                         rc = -EOPNOTSUPP;
>                         goto out;

IOP_XATTR is set, if sb->s_xattr is not NULL.

inode_init_always() {
	if (sb->s_xattr)
		inode->i_opflags |= IOP_XATTR;
}

In case of overlay, when preparing super block and root dentry,
sb->s_xattr has not been set yet and we call, 

ovl_new_inode()
  new_inode()
    alloc_inode()
	inode_init_always()

Looks like we need to initalize overlay super block little more and
set s_xattr before calling ovl_new_inode().

Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux