Re: [LSF/MM/BFP TOPIC] Composefs vs erofs+overlay

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2023/3/3 23:13, Gao Xiang wrote:

...



And of course, there are disadvantages to composefs too. Primarily
being more code, increasing maintenance burden and risk of security
problems. Composefs is particularly burdensome because it is a
stacking filesystem and these have historically been shown to be hard
to get right.


Just off a bit of that, I do think you could finally find a
fully-functional read-only filesystem is useful.

For example with EROFS you could,

 - keep composefs model files as your main use cases;

 - keep some small files such as "VERSION" or "README" inline;

 - refer to some parts of blobs (such as tar data) directly in
   addition to the whole file, which seems also a useful use cases
   for OCI containers;

 - deploy all of the above to raw disks and other media as well;

 - etc.

Actually since you're container guys, I would like to mention
a way to directly reuse OCI tar data and not sure if you
have some interest as well, that is just to generate EROFS
metadata which could point to the tar blobs so that data itself
is still the original tar, but we could add fsverity + IMMUTABLE
to these blobs rather than the individual untared files.

The main advantages over the current way (podman, containerd) are
 - save untar and snapshot gc time;
 - OCI layer diff IDs in the OCI spec [1] are guaranteed;
 - in-kernel mountable with runtime verificiation;
 - such tar can be mounted in secure containers in the same way
   as well.

Personally I've been working on EROFS since the end of 2017 until
now for many years, although it could take more or less time due
to other on-oning work, I always believe a read-only approach is
beyond just a pure space-saving stuff.  So I devoted almost all
my extra leisure time for this.

Honestly, I do hope there could be more people interested in EROFS
in addition to the original Android use cases because the overall
intention is much similar and I'm happy to help things that I could
do and avoid another random fs dump to Linux kernel (of course not
though.)

[1] https://github.com/opencontainers/image-spec/blob/main/config.md

Thanks,
Gao Xiang
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux