Currently, virtio-9p cannot be used with overlayfs in order to obtain
Docker-like experience (but with separate kernel) because of file
attributes problems. I wrote an email about that to qemu-devel almost
year ago, but it received no attention (I attach its contents below.).
Will virtio-fs avoid these problems? I assume it will be transparent
from the point of view of file attributes, and not enforce any kind of
security filtering?
Piotr Jurkiewicz
----
1. Upper filesystem must support the creation of trusted.* extended
attributes.
9pfs has support for getting/setting xattrs, but calls operating on
attributes other than user.* and system.posix_acl_* are dropped.
2. Upper filesystem must provide valid d_type in readdir responses.
This works, but only in case of 'passtrough' and 'none' security models.
In the case of 'mapped-xattr' and 'mapped-file' models, d_type is being
zeroed to DT_UNKNOWN during readdir() call.
All these limitations can be resolved pretty easily, but requires some
design decisions. I can prepare appropriate patches.
Ad. 1.
Why are operations on attributes other than than user.* and
system.posix_acl_* forbidden? Is this due to security reasons?
If so, can we map all of them to user.virtfs namespace, similarly as
system.posix_acl_* are being mapped to user.virtfs.system.posix_acl_* in
'mapping' mode already? This way any trusted/security/system attributes
will be effective only when mounted via virtfs inside VM.
Ad. 2.
local_readdir() can fill entry->d_type with the right DT_* value by
obtaining file type from mapping and translating it with IFTODT() macro.
This would, however, require reading 'user.virtfs.mode' for each
direntry during readdir() call, what can affect performance. If so, this
behavior would probably need to be controlled with some runtime option.
'mapped-xattr' and 'mapped-file' models are essential for running qemu
with overlayfs as non-root, because overlayfs creates device nodes, what
is possible for unprivileged user only with these models.