Description
In order to allow unprivileged overlay from images, following the pattern where --sif-fuse performs mounts prior to the invocation of the singularity runtime, we need to:
- At the CLI app level, i.e. before
starteris exec'd, identify any SIF images provided as overlay mount sources. - Mount these onto a temporary directory, using
squashfuseorfuse2fs(depending on overlay partition type in the SIF file). - Instruct the engine to perform an unpriv overlay mount based on the fuse mounted dir, rather than the original image.
- Clean up by unmounting the fuse mount when the container terminates.
Unfortunately, I think that we are blocked until tytso/e2fsprogs#124 is addressed. I was hoping this would have been reviewed / merged, but looks like we'll have to wait longer.
fuse2fs doesn't currently support mounting from an offset in a file, so we can't fuse mount an ext partition out of a SIF. Most overlays would be ext. A squashfs read-only overlay would be a rare thing. I doubt that supporting only that is really worthwile?
Apptainer has a workaround for this blocker via an LD_PRELOAD - https://github.com/apptainer/apptainer/blob/main/tools/offsetpreload.c
I'm not particularly keen to build, bundle, and use an LD_PRELOAD here. Perhaps we'd consider it if it doesn't look like an offset patch will be merged, or we don't find an alternative?
We are still introducing the ability to use a directory overlay unprivileged in 3.11 - as long as the host kernel supports unprivileged overlay (we are not enabling fuse-overlayfs).