Using overlayfs in (unprivileged) namespace

Philipp Wendler ml at
Mon Feb 15 12:30:15 UTC 2016

Dear Nikolay,

thank you for your answer.

Am 15.02.2016 um 12:47 schrieb Nikolay Borisov:
> On 02/15/2016 01:04 PM, Philipp Wendler wrote:

>> $ ./userns_child_exec -m -U -z bash
>> Then execute the following commands:
>> mkdir /tmp/namespace-overlay
>> cd /tmp/namespace-overlay
>> mkdir mount lower upper work
>> touch lower/test
>> mount -t overlayfs n -o lowerdir=lower,upperdir=upper,workdir=work mount
>> rm mount/test
>> The last command gives:
>>> rm: cannot remove 'mount/test': Operation not permitted
>> This fails even if /tmp does not have "nodev" set (with "nodev" it would
>> be expected to fail of course).
>> Interestingly, it even fails if I start userns_child_exec as root,
>> not sure why.
>> Outside namespaces everything works as expected.
> Wouldn't using the device cgroup with the respective major/minor numbers
> allowed rectify the situation?

I am not sure how.
I have no special setup for the devices cgroup.
The file devices.list of the cgroup in which my process is contains
"a *:* rwm".
So I think the devices cgroup would already allow me to create that
device node, and I have no way to grant additional permissions with the
cgroup, right?
At least that is how I understand the documentation for the devices cgroup.

> Also, have you done any tracing trying to
> figure out where exactly is this failing? E.g. using ftrace?

Sorry, no, I don't know how to do this.
I have looked into ftrace now, but I didn't find a way how to see which
function is responsible for letting the rm fail.
The kernel documentation on ftrace is quite overwhelming, so maybe I
have missed something.
Do you have by chance a more specific pointer to what would help me?

Greetings, Philipp

More information about the Containers mailing list