nestybox
For kernels >= 5.11, switch the default value of --allow-trusted-xattr to false
As described in the Sysbox’s documentation, by default sysbox-mgr is allowing all the *xattr() syscalls generated within a sysbox container to be intercepted and (some of them) partially emulated.
The goal is to workaround a kernel limitation that prevented trusted.*xattributes to be set within a user-namespace. This limitation has now been waived with the introduction of user.xattr.opaquexattributes in kernel 5.11+, along the utilization of this attribute by dockerd (in v20.10.9+) for whiteout handling purposes.
Taking the above into account, we should now modify sysbox-mgr’s default behavior to something like this:
If kernel-version < 5.11, then set --allow-trusted-xattr=true as the default configuration
if kernel-version >= 5.11, then set --allow-trusted-xattr=false as the default configuration
The above doesn’t address the scenario in which the user is relying on a 5.11+ kernel AND a dockerd-version < 20.10.9 within his/her containers, but this is something that we can always address by asking them to update the docker version in their inner images – definitely a better scenario than being hit by the performance penalties associated with the current default approach.
