Add support for "container file systems"

[rgayon]

Ie: the case of Docker containers

Some pre-work exploring these in docker-explorer

[sydp]

@rgayon @joachimmetz As discussed oob, i can take a look at this (re-using docker explorer to add support in dfVFS)

[sydp]

When a file is "deleted" in a layer of the overlay, the driver sets the character device bit and the device number (st_dev) to 0,0.

"A whiteout is created as a character device with 0/0 device number" ref: https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html

In the ExtFileEntry class, this bit looks to be masked out:

https://github.com/log2timeline/dfvfs/blob/4a84328e889a75612658d0a1217220f1187154ef/dfvfs/vfs/ext_file_entry.py#L134

In the StatAttribute class, support for the device number is under consideration:

https://github.com/log2timeline/dfvfs/blob/4a84328e889a75612658d0a1217220f1187154ef/dfvfs/vfs/attribute.py#L49

[joachimmetz]

@sydp you likely want to add it to https://github.com/log2timeline/dfvfs/blob/4a84328e889a75612658d0a1217220f1187154ef/dfvfs/vfs/ext_file_entry.py#L22

But you would need to check what the behavior on other file systems is and what functionality we would need

[sydp]

@sydp you likely want to add it to

https://github.com/log2timeline/dfvfs/blob/4a84328e889a75612658d0a1217220f1187154ef/dfvfs/vfs/ext_file_entry.py#L22

But you would need to check what the behavior on other file systems is and what functionality we would need

Ah great, thanks @joachimmetz.

I'll look into it - currently only have test data for EXT4.