Hi,

I use lxc-usernsexec to simulate root (and other users) for a non-root
user.

lxc-usernsexec -m b:0:100000:65536

That then chroots into an overlayfs mounted using fuse.

The lowerdir is a mounted squashfs, the upperdir is a regular directory.

squashfuse rootimg.sqfs lower
fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=work mount

This is all working nicely, and much faster than extracting a tarfile to generate the lowerdir which is what I used to do.

But I have to jump through hoops to generate the lower sqfs.

If I generate it while running under lxc so outside it looks like root
owned files have owner 100000, to the generating process running under
lxc they have owner root(0). When using tar it automatically did the
necessary translations when extracting the archive back to the correct
lxc uid.

If I build the sqfs while inside lxc the sqfs gets the uid 0 for root
owned files. The files in mount/root, for example are then not readable when it's mounted later.

If I try to build it from outside lxc then I don't have permission to
read mount/root at all so the files don't make it into the sqfs.

I'm doing the following to ensure that the sqfs files have the correct ownership when I come to mount it:

for (( i = 0 ; i < 65536 ; i++ )); do echo "+$i +$(( i + 100000 ))"; done >mapfile
tar -C root --numeric-owner --owner-map=mapfile --group-map=mapfile --one-file-system -cf - . | tar2sqfs -q root.sqfs

This maps the 0-65535 uids that are seen inside lxc back to the
100000-165535 uids that are used outside of lxc so that the sqfs is an
accurate image of the original filesystem metadata.

overlayfs has an option to map uids which the man page suggests exists
for exactly this reason, but I cannot work out how to use it. I feel as
though I need the option on squashfuse.

It doesn't really matter to me, but one issue with my solution is that
the sqfs images aren't usable by a different user who has a different
uidmap because the uids in the sqfs are tied to the uidmap.

Is there a way to do what I'm trying to do without using tar (or
equivalent) to change the uids in the sqfs? I don't want to squash
everything down to a single user.

-o uidmapping/-o gidmapping for fuse-overlayfs aren't mentioned in the
-h help, only in the manpage, so perhaps there's an option to squashfuse
that isn't mentioned in either that I'm missing? Or perhaps there's a
way to get overlayfs to work if the root.sqfs has uid 0-65535.

Note that the whole point of all of this is so that nothing has to be
done as root. I use this for testing installs, building packages etc and
a rogue rm -fr /, for example, can't take out the whole system. So
solutions that involve doing steps as the real root user aren't
suitable.

Tim.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 6 Apr 2024, Tim Woodall wrote:

Hi,

I use lxc-usernsexec to simulate root (and other users) for a non-root
user.

lxc-usernsexec -m b:0:100000:65536

That then chroots into an overlayfs mounted using fuse.

The lowerdir is a mounted squashfs, the upperdir is a regular directory.

squashfuse rootimg.sqfs lower
fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=work mount

This is all working nicely, and much faster than extracting a tarfile to generate the lowerdir which is what I used to do.

But I have to jump through hoops to generate the lower sqfs.

Turns out there was something wrong with my testing. Not exactly sure
what I did wrong but provided you do the mounting inside the container
then it "just works". The hoops are only needed if you want to mount
outside the container.

Tim.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)