Browse code
rootless: disable overlay2 if running with SELinux
Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux.
On the other hand, fuse-overlayfs is compatible.
Close issue 42333
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Akihiro Suda authored on 2021/04/28 15:37:36Showing 1 changed files
| ... | ... |
@@ -37,6 +37,16 @@ func ErrDTypeNotSupported(driver, backingFs string) error {
|
| 37 | 37 |
// checkMultipleLowers parameter enables check for multiple lowerdirs, |
| 38 | 38 |
// which is required for the overlay2 driver. |
| 39 | 39 |
func SupportsOverlay(d string, checkMultipleLowers bool) error {
|
| 40 |
+ // We can't rely on go-selinux.GetEnabled() to detect whether SELinux is enabled, |
|
| 41 |
+ // because RootlessKit doesn't mount /sys/fs/selinux in the child: https://github.com/rootless-containers/rootlesskit/issues/94 |
|
| 42 |
+ // So we check $_DOCKERD_ROOTLESS_SELINUX, which is set by dockerd-rootless.sh . |
|
| 43 |
+ if os.Getenv("_DOCKERD_ROOTLESS_SELINUX") == "1" {
|
|
| 44 |
+ // Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux, |
|
| 45 |
+ // so fallback to fuse-overlayfs. |
|
| 46 |
+ // https://github.com/moby/moby/issues/42333 |
|
| 47 |
+ return errors.New("overlay is not supported for Rootless with SELinux")
|
|
| 48 |
+ } |
|
| 49 |
+ |
|
| 40 | 50 |
td, err := ioutil.TempDir(d, "check-overlayfs-support") |
| 41 | 51 |
if err != nil {
|
| 42 | 52 |
return err |