https://www.scrivano.org/tags/overlayfs/ Recent content in Overlayfs on *scratch* Hugo en Sat, 06 Jun 2026 10:03:54 +0000 https://www.scrivano.org/2019/01/09/disposable-rootless-sessions/ Wed, 09 Jan 2019 22:01:08 +0000 https://www.scrivano.org/2019/01/09/disposable-rootless-sessions/ <p>Would be nice to have a way to “fork” the current session and be able to revert all the changes done, without any leftover on the file system. With fuse-overlayfs, a user-space overlay filesystem that unprivileged users can mount, this turns out to be surprisingly straightforward: mount the entire root filesystem as the lower layer of an overlay, point the upper layer at a temporary directory, and every write is captured there and can be discarded at the end of the session, leaving the underlying system untouched.</p> https://www.scrivano.org/2018/07/13/fuse-overlayfs-moved-to-github-com-containers/ Fri, 13 Jul 2018 22:00:59 +0000 https://www.scrivano.org/2018/07/13/fuse-overlayfs-moved-to-github-com-containers/ <p>The fuse-overlayfs project I was working on in the last weeks was moved under the <a href="https://github.com/containers">github.com/containers</a> umbrella. fuse-overlayfs is a user-space implementation of the overlay filesystem that can be mounted without root privileges, which is essential for rootless containers. With Linux 4.18 introducing the ability to mount FUSE filesystems inside user namespaces, this makes overlay-based storage finally usable by unprivileged container runtimes such as Podman.</p> <p>With Linux 4.18 it will be possible to mount a FUSE file system in an user namespace. fuse-overlayfs is an implementation in user space of the overlay file system already present in the Linux kernel, but that can be mounted only by the root user. Union file systems were around for a long time, allowing multiple layers to be stacked on top of each other where usually the last one is the only writeable.<br> Overlay is an union file system widely used for mounting OCI image. Each OCI image is made up of different layers, each layer can be used by different images. A list of layers, stacked on each other gives the final image that is used by a container. The last level, that is writeable, is specific for the container. This model enables different containers to use the same image that is accessible as read-only from the lower layers of the overlay file system.</p> https://www.scrivano.org/2018/02/25/current-status-problems-running-buildah-non-root/ Sun, 25 Feb 2018 13:59:14 +0000 https://www.scrivano.org/2018/02/25/current-status-problems-running-buildah-non-root/ <p>Having Buildah running in a user namespace opens the possibility of building container images as a non-root user. I’ve done some work to get <a href="https://github.com/projectatomic/buildah">Buildah</a> running inside a user container, where it can still create and modify container images without any elevated privileges on the host. This is useful for CI environments and shared systems where granting root or setuid access is not acceptable.</p> <p>There are still some open issues to get it fully working. The biggest open one is that <em>overlayfs</em> cannot be currently used as non root user. There is some work going on, but this will require changes in the kernel and the way extended attributes work for overlay. The alternative is far from ideal and it is to use the <em>vfs</em> storage driver, but it is a good starting point to get things moving and see how far we get. (Another possibility that doesn’t require changes in the kernel would be an OSTree storage for Buildah, but that is a different story).</p>