sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard
verified publisher icon nestybox

mount a overlayfs dir into sysbox's container has nobody:nogroup permission

Open okhowang opened this issue 2 months ago • 0 comments

I'm running sysbox v0.6.7 with Docker.

# uname -a
Linux 150-95-142-223 6.8.0-79-generic #79-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 14:42:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
# docker version
Client: Docker Engine - Community
 Version:           28.4.0
 API version:       1.51
 Go version:        go1.24.7
 Git commit:        d8eb465
 Built:             Wed Sep  3 20:57:32 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.4.0
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.7
  Git commit:       249d679
  Built:            Wed Sep  3 20:57:32 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

when docker run with mount, if mount dir is a normal dir, it's ok. but if mount dir is in overlayfs, dir in container will be nobody:nogroup and unwritable.

it looks like same problem with #874

# bash -x test.sh
+ mkdir -p merge lower work upper
+ echo 1
+ mount -t overlay overlay -o index=off,uuid=on,lowerdir=/root/t/lower,upperdir=/root/t/upper,workdir=/root/t/work /root/t/merge
+ docker run -it --rm -v /root/t/merge:/data --runtime sysbox-runc alpine sh -c 'ls -la /data; echo 2 > /data/data2'
total 12
drwxr-xr-x    1 nobody   nobody        4096 Oct 20 07:56 .
drwxr-xr-x    1 root     root          4096 Oct 20 07:56 ..
-rw-r--r--    1 nobody   nobody           2 Oct 20 07:56 data
sh: can't create /data/data2: Permission denied
+ umount merge

test.sh

mkdir -p {merge,lower,work,upper}
echo 1 > lower/data

mount -t overlay overlay -o index=off,uuid=on,lowerdir=$PWD/lower,upperdir=$PWD/upper,workdir=$PWD/work $PWD/merge

docker run -it --rm -v $PWD/merge:/data --runtime sysbox-runc alpine sh -c "ls -la /data; echo 2 > /data/data2"

umount merge

output of sysbox-fs and sysbox-mgr

time="2025-10-20 16:33:38" level=info msg="Starting sysbox-fs"
time="2025-10-20 16:33:38" level=info msg="Edition: Community Edition (CE)"
time="2025-10-20 16:33:38" level=info msg="Version: 0.6.7"
time="2025-10-20 16:33:38" level=info msg="Commit-ID: 6a8d71f54e7570e5297af89ff24ed3bafa61659f"
time="2025-10-20 16:33:38" level=info msg="Initializing with 'allow-immutable-remounts' knob disabled (default)"
time="2025-10-20 16:33:38" level=info msg="Initializing with 'allow-immutable-unmounts' knob enabled (default)"
time="2025-10-20 16:33:38" level=info msg="FUSE dir = /var/lib/sysboxfs"
time="2025-10-20 16:33:38" level=info msg="Host supports writes to /proc/sys/kernel/shm* from user-ns"
time="2025-10-20 16:33:38" level=info msg="IOvec memParser elected"
time="2025-10-20 16:33:38" level=info msg="Listening on /run/sysbox/sysfs.sock"
time="2025-10-20 16:33:38" level=info msg="Ready ..."

time="2025-10-20 16:33:37" level=info msg="Starting sysbox-mgr"
time="2025-10-20 16:33:37" level=info msg="Edition: Community Edition (CE)"
time="2025-10-20 16:33:37" level=info msg="Version: 0.6.7"
time="2025-10-20 16:33:37" level=info msg="Commit-ID: aaeff6c5dc70c137e62166474a309ca5fc42d044"
time="2025-10-20 16:33:37" level=info msg="Sysbox data root: /var/lib/sysbox"
time="2025-10-20 16:33:37" level=info msg="System container mode enabled."
time="2025-10-20 16:33:37" level=info msg="binfmt_misc namespacing supported by kernel; will auto mount it in containers."
time="2025-10-20 16:33:37" level=info msg="Shiftfs module found in kernel: no"
time="2025-10-20 16:33:37" level=info msg="Shiftfs works properly: no"
time="2025-10-20 16:33:37" level=info msg="Shiftfs-on-overlayfs works properly: no"
time="2025-10-20 16:33:37" level=info msg="ID-mapped mounts supported by kernel: yes"
time="2025-10-20 16:33:37" level=info msg="Overlayfs on ID-mapped mounts supported by kernel: yes"
time="2025-10-20 16:33:37" level=info msg="Operating in system container mode."
time="2025-10-20 16:33:37" level=info msg="Relaxed read-only mode disabled."
time="2025-10-20 16:33:37" level=info msg="Inner container image preloading enabled."
time="2025-10-20 16:33:37" level=info msg="Listening on /run/sysbox/sysmgr.sock"
time="2025-10-20 16:33:37" level=info msg="Ready ..."

okhowang avatar Oct 20 '25 07:10 okhowang