<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:"courier new",monospace">Control: reassign -1 storage-common</div><div class="gmail_default" style="font-family:"courier new",monospace">Control: affects -1 podman</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">Hi Philip,</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">Thank you for your bug report.</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">The Debian equivalent to Fedora's package 'containers-common' has the same name in debian, and does ship a 'storage.conf' file in /usr/share/containers/storage.conf. This is so that the local administrator can copy it to /etc/containers/storage.conf and do local modifications. The Debian package copies the storage.conf from the upstream source verbatim. As you can see at <a href="https://github.com/containers/storage/blob/375f77c66685b14fc580daad2dc6df607fb86dee/storage.conf#L95">https://github.com/containers/storage/blob/375f77c66685b14fc580daad2dc6df607fb86dee/storage.conf#L95</a>, the mount option 'metacopy=on' is missing even upstream.</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">I am not sure why the Fedora package decided to patch the configuration file -- I couldn't find a comment in the .src.rpm that you linked. Also, looking at the kernel documentation you provided, it seems your concerns re: security are justified, and the option seems to have significant security implications:</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:"courier new",monospace"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Do not use metacopy=on with untrusted upper/lower directories. Otherwise it is possible that an attacker can create a handcrafted file with appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower pointed by REDIRECT. This should not be possible on local system as setting “trusted.” xattrs will require CAP_SYS_ADMIN. But it should be possible for untrusted layers like from a pen drive.</blockquote></div></div></div></blockquote><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:"courier new",monospace"><br class="gmail-Apple-interchange-newline"></div><div class="gmail_default" style="font-family:"courier new",monospace">I'm not sure whether enabling it by default is a good idea. I need to think more about this.</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">I'd also appreciate hearing additional opinions on this, and have copied some friends from podman upstream. Do you happen to know what's the background / thinking in Fedora with enabling the option metacopy=on?</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">Happy New Year!</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div><div class="gmail_default" style="font-family:"courier new",monospace">-rt</div><div class="gmail_default" style="font-family:"courier new",monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jan 2, 2022 at 9:51 AM Philip <<a href="mailto:philip@kellnerweg.de">philip@kellnerweg.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Package: podman<br>
Version: 3.0.1+dfsg1-3+b2<br>
Severity: wishlist<br>
<br>
Dear Maintainer,<br>
<br>
I had some problems running the dockerized version of the Unifi controller jacobalberty/unifi-docker<br>
with podman on Debian.<br>
On a Fedora system, starting the container only takes a few seconds.<br>
On a Debian system, it can take about 5 minutes.<br>
<br>
The reason is that on the Fedora system the mount-option metacopy=on<br>
(see [1] for this mount option) is set for the container overlayfs via a default /etc/containers/storage.conf.<br>
That makes quite the difference for this specific image because it does a<br>
`chown unifi:unifi /usr/lib/unifi` during startup.<br>
chown-ing these 6k files is fast with metacopy=on (on Fedora).<br>
Without the option (on Debian), I think the files will be copied instead of only their metadata, making it rather slow.<br>
<br>
So the solution for me was to copy /etc/containers/storage.conf from a<br>
Fedora system. If anyone has a similar problem, the file can be extracted from the<br>
src rpm of the containers-common package which can be downloaded at [2].<br>
<br>
IMO it would be useful if Debian would also include a default<br>
/etc/containers/storage.conf.<br>
Thanks for considering this!<br>
However I'm not sure if metacopy=on is a good idea from a security<br>
perspective.<br>
<br>
Best<br>
Philip<br>
<br>
-- System Information:<br>
Debian Release: 11.2<br>
APT prefers stable-updates<br>
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')<br>
Architecture: amd64 (x86_64)<br>
<br>
Kernel: Linux 5.10.0-10-amd64 (SMP w/2 CPU threads)<br>
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en<br>
Shell: /bin/sh linked to /usr/bin/dash<br>
Init: systemd (via /run/systemd/system)<br>
LSM: AppArmor: enabled<br>
<br>
Versions of packages podman depends on:<br>
ii conmon 2.0.25+ds1-1.1<br>
ii containernetworking-plugins 0.9.0-1+b6<br>
ii crun 0.17+dfsg-1<br>
ii golang-github-containers-common 0.33.4+ds1-1<br>
ii init-system-helpers 1.60<br>
ii iptables 1.8.7-1<br>
ii libc6 2.31-13+deb11u2<br>
ii libdevmapper1.02.1 2:1.02.175-2.1<br>
ii libgpgme11 1.14.0-1+b2<br>
ii libseccomp2 2.5.1-1+deb11u1<br>
<br>
Versions of packages podman recommends:<br>
ii buildah 1.19.6+dfsg1-1+b6<br>
ii catatonit 0.1.5-2<br>
ii fuse-overlayfs 1.4.0-1<br>
ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7<br>
ii slirp4netns 1.0.1-2<br>
ii uidmap 1:4.8.1-1<br>
<br>
Versions of packages podman suggests:<br>
pn containers-storage <none><br>
pn docker-compose <none><br>
<br>
-- no debconf information<br>
<br>
<br>
[1]: <a href="https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#metadata-only-copy-up" rel="noreferrer" target="_blank">https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#metadata-only-copy-up</a><br>
[2]: <a href="https://kojipkgs.fedoraproject.org//packages/containers-common/1/32.fc35/src/containers-common-1-32.fc35.src.rpm" rel="noreferrer" target="_blank">https://kojipkgs.fedoraproject.org//packages/containers-common/1/32.fc35/src/containers-common-1-32.fc35.src.rpm</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">regards,<br> Reinhard</div></div></div>