Re: Replacing aufs with overlayfs
Hi Debian Kernel Team, intrigeri (2014-12-11): > Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : >> Please try the Linux 3.18 packages from experimental (they're not there >> yet, but should be soon) and check that overlayfs does what you need. > > Thanks. I'll test it for Tails' usecases (that use aufs a bit more > than most other live systems, e.g. our incremental upgrades features > uses it) once I find the time to. It took us a while, but I'm happy to report that Tails has finally migrated away from aufs! So as far as Tails is concerned, we don't need the aufs "compat" patchset in src:linux anymore :) In passing, so that I can call "case closed" some of the blockers that were discussed later on this thread back in 2014-2015: 1. overlayfs stack depth upper limit vs. live-boot SquashFS stacking feature It turns out that was a misunderstanding: that upper limit applies to how many overlayfs filesystems can be part of a new overlayfs mount, rather than to how many read-only lower layers it's built from. 2. overlayfs vs. AppArmor It's still true that out-of-the-box, just like aufs, overlayfs does not play well with AppArmor. That's why apparmor.service turns itself into a no-op when it detects a Debian or Ubuntu Live system. To make them work together, one solution is to add a few AppArmor `alias` rules, and to add the `attach_disconnected` flag to every profile. For example: - https://salsa.debian.org/tails-team/tails/-/blob/master/config/chroot_local-includes/etc/apparmor.d/tunables/alias.d/tails - https://salsa.debian.org/tails-team/tails/-/blob/master/config/chroot_local-hooks/48-tweak-AppArmor-profiles - https://tails.boum.org/contribute/design/application_isolation/ Cheers!
Re: Replacing aufs with overlayfs
Hi, maximilian attems wrote (12 Mar 2015 20:52:04 GMT) : Apparmor is not critical, hence it is not a regression blocker. Sure, I didn't expect this to be a blocker. Thanks, anyway, for making it clear :) Better check how it affects Selinux while you'd care about security! Sorry, I have no experience with SELinux, and have personally chosen to work on improving AppArmor support on Debian a few years ago, so I won't be the one who takes care of SELinux vs. overlayfs. Now, it may be that the way SELinux works (labelling files) has less chances to be affected by overlayfs than a path-based MAC such as AppArmor. Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/85h9tpxn41@boum.org
Re: Replacing aufs with overlayfs
Hi Ben, [dropping -live@ from the Cc list, as this is not specific to Live systems, and affects e.g. some setups based on Linux containers.] Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. FYI, at the upstream AppArmor IRC meeting a few days ago, I've learnt that overlayfs and AppArmor don't play well together yet. * Some IRC log excerpts that provide more detail: https://labs.riseup.net/code/issues/9045 * The AppArmor bug that tracks this issue: https://bugs.launchpad.net/apparmor/+bug/1408106 Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/85a8zi1cxa@boum.org
Re: Replacing aufs with overlayfs
On Thu, Mar 12, 2015 at 03:57:21PM +0100, intrigeri wrote: [dropping -live@ from the Cc list, as this is not specific to Live systems, and affects e.g. some setups based on Linux containers.] Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. FYI, at the upstream AppArmor IRC meeting a few days ago, I've learnt that overlayfs and AppArmor don't play well together yet. * Some IRC log excerpts that provide more detail: https://labs.riseup.net/code/issues/9045 * The AppArmor bug that tracks this issue: https://bugs.launchpad.net/apparmor/+bug/1408106 Apparmor is not critical, hence it is not a regression blocker. btw 3.19 is out and soon you'll have 3.20. Plenty of time to fix such thingies. Better check how it affects Selinux while you'd care about security! -- maks -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150312205204.GA7568@gluino
Re: Replacing aufs with overlayfs
Hi, Ben Hutchings wrote (21 Dec 2014 23:20:15 GMT) : On Sun, 2014-12-21 at 21:53 +0100, intrigeri wrote: 1. Due to overlayfs' stack depth limit of 2, until support more than one read-only lower layer is completed, overlayfs breaks live-boot's SquashFS stacking feature; Tails automatic upgrades rely on this feature. The current overlayfs maintainer says it is the top feature request, and has been working on it recently (https://www.mail-archive.com/linux-unionfs@vger.kernel.org/msg00079.html). The code lives in git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git (branch overlayfs-next, currently). Should we expect this to be merged in Linux 3.20? I'm not sure: A first formal pull request was send recently: http://news.gmane.org/find-root.php?message_id=20141209103745.GA32280%40tucsk.suse.de The initial review by Al Viro revealed quite a few problems, that Miklos Szeredi later says have been fixed (9 days ago). Nothing happened since then. Is it an option to get aufs back into the Debian kernel until #1 is completed and reaches mainline? (I could understand that you want to add a deadline if you make such a promise, of course :) I would rather apply the overlayfs patches to support multiple lower layers. Works for me :) Once Al Viro is happy with the current state of the code, I'll let you know (I've just subscribed to linux-unionfs). Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/85egrsysi6@boum.org
Re: Replacing aufs with overlayfs
Hi, intrigeri wrote (11 Dec 2014 13:13:43 GMT) : Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. Thanks. I'll test it for Tails' usecases (that use aufs a bit more than most other live systems, e.g. our incremental upgrades features uses it) once I find the time to. Here are the results of our preliminary investigations: 1. Due to overlayfs' stack depth limit of 2, until support more than one read-only lower layer is completed, overlayfs breaks live-boot's SquashFS stacking feature; Tails automatic upgrades rely on this feature. The current overlayfs maintainer says it is the top feature request, and has been working on it recently (https://www.mail-archive.com/linux-unionfs@vger.kernel.org/msg00079.html). The code lives in git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git (branch overlayfs-next, currently). Later on the same thread, there are also patches (https://www.mail-archive.com/linux-unionfs@vger.kernel.org/msg00088.html) to make the stack depth limit configurable at runtime, but it was deemed risky by the overlayfs maintainer without more work to check that the stack will be safe. So, our best bet right now seems to wait for the 1 read-only lower layer feature. 2. Whiteouts support *should* work when using SquashFS (for non-directories, using a char device; for directories, using a xattr to make them opaque). Not tested yet, though. We also rely on this feature for Tails automatic upgrades. Is it an option to get aufs back into the Debian kernel until #1 is completed and reaches mainline? (I could understand that you want to add a deadline if you make such a promise, of course :) Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/85wq5k208r@boum.org
Re: Replacing aufs with overlayfs
On Sun, 2014-12-21 at 21:53 +0100, intrigeri wrote: Hi, intrigeri wrote (11 Dec 2014 13:13:43 GMT) : Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. Thanks. I'll test it for Tails' usecases (that use aufs a bit more than most other live systems, e.g. our incremental upgrades features uses it) once I find the time to. Here are the results of our preliminary investigations: 1. Due to overlayfs' stack depth limit of 2, until support more than one read-only lower layer is completed, overlayfs breaks live-boot's SquashFS stacking feature; Tails automatic upgrades rely on this feature. The current overlayfs maintainer says it is the top feature request, and has been working on it recently (https://www.mail-archive.com/linux-unionfs@vger.kernel.org/msg00079.html). The code lives in git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git (branch overlayfs-next, currently). Should we expect this to be merged in Linux 3.20? Later on the same thread, there are also patches (https://www.mail-archive.com/linux-unionfs@vger.kernel.org/msg00088.html) to make the stack depth limit configurable at runtime, but it was deemed risky by the overlayfs maintainer without more work to check that the stack will be safe. So, our best bet right now seems to wait for the 1 read-only lower layer feature. 2. Whiteouts support *should* work when using SquashFS (for non-directories, using a char device; for directories, using a xattr to make them opaque). Not tested yet, though. We also rely on this feature for Tails automatic upgrades. Is it an option to get aufs back into the Debian kernel until #1 is completed and reaches mainline? (I could understand that you want to add a deadline if you make such a promise, of course :) I would rather apply the overlayfs patches to support multiple lower layers. Ben. -- Ben Hutchings Reality is just a crutch for people who can't handle science fiction. signature.asc Description: This is a digitally signed message part
Re: Replacing aufs with overlayfs
On Sun, Dec 21, 2014 at 09:53:24PM +0100, intrigeri wrote: Is it an option to get aufs back into the Debian kernel until #1 is completed and reaches mainline? (I could understand that you want to add a deadline if you make such a promise, of course :) no, there is no rush for the upcoming release, better work out the needed use case one by one with proper upstream. experimental and unstable (after release) are for development, use it! thanks for your update. -- maks -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141221234441.GA7845@gluino
Re: Replacing aufs with overlayfs
Hi, Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. Thanks. I'll test it for Tails' usecases (that use aufs a bit more than most other live systems, e.g. our incremental upgrades features uses it) once I find the time to. Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/85oara5ny0@boum.org
Re: Replacing aufs with overlayfs
On 11 December 2014 at 14:13, intrigeri intrigeri+debian-l...@boum.org wrote: Hi, Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) : Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. Thanks. I'll test it for Tails' usecases (that use aufs a bit more than most other live systems, e.g. our incremental upgrades features uses it) once I find the time to. This might be interesting. Last time I looked at overlayfs it had hardcoded maximum number of stacked filesyetems iirc. Thanks Michal -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caomqctt6a9smcsbm2w2iptxyjhxlp156p2rek25ox-e0i6a...@mail.gmail.com
Replacing aufs with overlayfs
The overlayfs union filesystem was included in Linux 3.18. I am assuming that this will cover the needs of Debian live systems, so I've dropped aufs from the Debian packaging. This is currently for experimental only, but you can expect this change to appear in unstable shortly after the jessie release. Please try the Linux 3.18 packages from experimental (they're not there yet, but should be soon) and check that overlayfs does what you need. Ben. -- Ben Hutchings Q. Which is the greater problem in the world today, ignorance or apathy? A. I don't know and I couldn't care less. signature.asc Description: This is a digitally signed message part
Re: Replacing aufs with overlayfs
On 12/09/14 20:55, Ben Hutchings wrote: I am assuming that this will cover the needs of Debian live systems, so I've dropped aufs from the Debian packaging. yes. you can expect this change to appear in unstable shortly after the jessie release. great, looking forward to that. -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54875d4a.6020...@progress-technologies.net
Re: Replacing aufs with overlayfs
Wow that will be a major change! I will be testing live persistence here as soon as it is available! Thanks to both of you for your hard work in all of this! On Tue Dec 09 2014 at 1:54:21 PM Daniel Baumann daniel.baum...@progress-technologies.net wrote: On 12/09/14 20:55, Ben Hutchings wrote: I am assuming that this will cover the needs of Debian live systems, so I've dropped aufs from the Debian packaging. yes. you can expect this change to appear in unstable shortly after the jessie release. great, looking forward to that. -- Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-live-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54875D4A.6020608@progress- technologies.net
