{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":284554383,"defaultBranch":"master","name":"sysbox-mgr","ownerLogin":"nestybox","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2020-08-02T22:42:49.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/48161898?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1715203216.0","currentOid":""},"activityList":{"items":[{"before":"c6635f7b8b3a5fc389f8b4a7b8ddbc52e6dda895","after":"334232f51210c5027e4031744f7a94ac4767e9d0","ref":"refs/heads/master","pushedAt":"2024-06-03T05:24:45.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"go mod tidy.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"go mod tidy."}},{"before":"faeaa69db408a92064b9f0f7d9857e96d64d9bdb","after":"c6635f7b8b3a5fc389f8b4a7b8ddbc52e6dda895","ref":"refs/heads/master","pushedAt":"2024-05-24T00:43:13.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"go mod tidy.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"go mod tidy."}},{"before":"61505ebc485f0c19c5881a90d08fdf92a8d8e09a","after":null,"ref":"refs/heads/pkg-dep-upgrade","pushedAt":"2024-05-08T21:20:16.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"03f5d7bc584fdcb2319b2c1831bd58581185fc1c","after":"faeaa69db408a92064b9f0f7d9857e96d64d9bdb","ref":"refs/heads/master","pushedAt":"2024-05-08T21:20:13.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Upgrade a couple of package dependencies.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Upgrade a couple of package dependencies."}},{"before":null,"after":"61505ebc485f0c19c5881a90d08fdf92a8d8e09a","ref":"refs/heads/pkg-dep-upgrade","pushedAt":"2024-05-08T21:19:59.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Upgrade a couple of package dependencies.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Upgrade a couple of package dependencies."}},{"before":"15b18452426f20a36d981cfecce329ba5ce64325","after":null,"ref":"refs/heads/allow-trusted-xattr","pushedAt":"2024-01-08T18:25:05.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"a5e6399fe610be649e0326803f04c38be847d5a8","after":"03f5d7bc584fdcb2319b2c1831bd58581185fc1c","ref":"refs/heads/master","pushedAt":"2024-01-08T18:25:00.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Disable trusted xattr syscalls inside Sysbox containers by default.\n\nPrior to this commit, Sysbox allowed trusted xattr* syscalls inside Sysbox\ncontainers by default (e.g., setfattr -n trusted.overlay.opaque -v \"y\" ).\n\nWith this commit, Sysbox will disallow xattr* syscalls inside Sysbox\ncontainers by default. Users can always revert to the prior behavior\nby either passing the \"SYSBOX_ALLOW_TRUSTED_XATTR=TRUE\" environment\nvariable to a container (e.g., docker run -e SYSBOX_ALLOW_TRUSTED_XATTR=TRUE ...),\nor by passing the --allow-trusted-xattr flag in sysbox-mgr.\n\nRationale for this change:\n\nAllowing trusted xattr* syscalls inside (unprivileged) Sysbox containers used to\nbe useful to run older versions of Docker engine inside the container (Docker <\n20.10.9). That's because older versions of Docker would set the\ntrusted.overlay.opaque extended file attribute when setting up the container's\nfilesystem. However, supporting this required Sysbox to intercept xattr*\nsyscalls, which often had a heavy negative impact on performance.\n\nStarting with Docker engine 20.10.9, Docker now uses the \"user.overlay.opaque\"\nextended file attribute (rather than the \"trusted.overlay.opaque\" attribute) to\nset up the container's filesystem inside unprivileged containers such as Sysbox\ncontainers. Therefore, Sysbox no longer needs to intercept xattr* syscalls to\nrun Docker engine inside Sysbox containers, and performance can be improved.\n\nNote that other apps that run inside Sysbox containers may still use \"trusted.*\"\nextended file attributes. For those apps to run properly, users will now need to\nconfigure Sysbox to trap xattr syscalls, as described above.\n\nBut such apps are the exception rather than the rule, so it makes sense for\nSysbox to not allow xattr syscalls by default (to improve performance) and\nlet users configure Sysbox to trap such syscalls for containers that actually\nneed it.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Disable trusted xattr syscalls inside Sysbox containers by default."}},{"before":null,"after":"15b18452426f20a36d981cfecce329ba5ce64325","ref":"refs/heads/allow-trusted-xattr","pushedAt":"2024-01-01T23:46:07.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Disable trusted xattr syscalls inside Sysbox containers by default.\n\nPrior to this commit, Sysbox allowed trusted xattr* syscalls inside Sysbox\ncontainers by default (e.g., setfattr -n trusted.overlay.opaque -v \"y\" ).\n\nWith this commit, Sysbox will disallow xattr* syscalls inside Sysbox\ncontainers by default. Users can always revert to the prior behavior\nby either passing the \"SYSBOX_ALLOW_TRUSTED_XATTR=TRUE\" environment\nvariable to a container (e.g., docker run -e SYSBOX_ALLOW_TRUSTED_XATTR=TRUE ...),\nor by passing the --allow-trusted-xattr flag in sysbox-mgr.\n\nRationale for this change:\n\nAllowing trusted xattr* syscalls inside (unprivileged) Sysbox containers used to\nbe useful to run older versions of Docker engine inside the container (Docker <\n20.10.9). That's because older versions of Docker would set the\ntrusted.overlay.opaque extended file attribute when setting up the container's\nfilesystem. However, supporting this required Sysbox to intercept xattr*\nsyscalls, which often had a heavy negative impact on performance.\n\nStarting with Docker engine 20.10.9, Docker now uses the \"user.overlay.opaque\"\nextended file attribute (rather than the \"trusted.overlay.opaque\" attribute) to\nset up the container's filesystem inside unprivileged containers such as Sysbox\ncontainers. Therefore, Sysbox no longer needs to intercept xattr* syscalls to\nrun Docker engine inside Sysbox containers, and performance can be improved.\n\nNote that other apps that run inside Sysbox containers may still use \"trusted.*\"\nextended file attributes. For those apps to run properly, users will now need to\nconfigure Sysbox to trap xattr syscalls, as described above.\n\nBut such apps are the exception rather than the rule, so it makes sense for\nSysbox to not allow xattr syscalls by default (to improve performance) and\nlet users configure Sysbox to trap such syscalls for containers that actually\nneed it.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Disable trusted xattr syscalls inside Sysbox containers by default."}},{"before":"f3b4f63b35c1e1dcc0f1f5a9f0e5a6e64b552a66","after":"a5e6399fe610be649e0326803f04c38be847d5a8","ref":"refs/heads/master","pushedAt":"2023-11-20T00:27:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Update go.mod and go.sum files.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Update go.mod and go.sum files."}},{"before":"d3156f745060becbbf20899f803eca54a0fe9da6","after":null,"ref":"refs/heads/ee-to-ce-sync","pushedAt":"2023-11-20T00:22:45.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"4b5fb1def9abe6a256cfe62bacaf2a7d333d81d2","after":"f3b4f63b35c1e1dcc0f1f5a9f0e5a6e64b552a66","ref":"refs/heads/master","pushedAt":"2023-11-20T00:22:42.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"More fixes in host kernel header mounting.\n\nWhen parsing the list of host kernel headers to be mounted into Sysbox\ncontainers (typically under /usr/src), the sysbox-mgr finds the headers in the\nhost and follows any symlinks, and then tries to determine the lowest common\npath (lcp) for bind-mounting the headers (so as to avoid creating too many\nbind-mounts into the Sysbox container).\n\nThe computation of the lcp was not handling properly the scenario\nwhen the kernel headers are located in different directories under\n/usr/src/.\n\nFor example, in the scenario where a host has this kernel header config:\n\n/usr/src/linux-headers-6.2.0-35-generic/block -> ../linux-hwe-6.2-headers-6.2.0-35/block\n/usr/src/linux-headers-6.2.0-35-generic/certs -> ../linux-hwe-6.2-headers-6.2.0-35/certs\n...\n/usr/src/linux-headers-6.2.0-35-generic/rust -> ../linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\n\nthe sysbox-mgr was computing the lcp as \"/usr/src\" and trying to bind-mount that\ndirectory into the Sysbox container. That's because when following the symlinks,\nthe \"*rust*\" headers where not under \"/usr/src/linux-hwe-6.2-headers-6.2.0-35\"\nbut rather under \"/usr/src/linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\", so the\nlowest common path is \"/usr/src/\".\n\nBut this is not ideal since \"/usr/src\" contains other stuff that we don't want\nto mount into the container. What we really want is to create two bind mounts,\none for \"/usr/src/linux-hwe-6.2-headers-6.2.0-35\" and another for\n\"/usr/src/linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\".\n\nThis commit fixes this. It does so by modifying function CreateMountSpec() in\nutils.go to find the first-level subdirs under \"/usr/src\", and then for each\nsuch subdir, find the lcp among it's lower-level directories.\n\nFYI: I caught this problem while running:\n\n$ docker run --runtime=sysbox-runc -it --rm ghcr.io/nestybox/fedora:31\n\non my Ubuntu Jammy host in which the kernel headers for rust where in a\ndifferent directory (but still under /usr/src) than the rest of the headers.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"More fixes in host kernel header mounting."}},{"before":null,"after":"d3156f745060becbbf20899f803eca54a0fe9da6","ref":"refs/heads/ee-to-ce-sync","pushedAt":"2023-11-18T23:20:01.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"More fixes in host kernel header mounting.\n\nWhen parsing the list of host kernel headers to be mounted into Sysbox\ncontainers (typically under /usr/src), the sysbox-mgr finds the headers in the\nhost and follows any symlinks, and then tries to determine the lowest common\npath (lcp) for bind-mounting the headers (so as to avoid creating too many\nbind-mounts into the Sysbox container).\n\nThe computation of the lcp was not handling properly the scenario\nwhen the kernel headers are located in different directories under\n/usr/src/.\n\nFor example, in the scenario where a host has this kernel header config:\n\n/usr/src/linux-headers-6.2.0-35-generic/block -> ../linux-hwe-6.2-headers-6.2.0-35/block\n/usr/src/linux-headers-6.2.0-35-generic/certs -> ../linux-hwe-6.2-headers-6.2.0-35/certs\n...\n/usr/src/linux-headers-6.2.0-35-generic/rust -> ../linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\n\nthe sysbox-mgr was computing the lcp as \"/usr/src\" and trying to bind-mount that\ndirectory into the Sysbox container. That's because when following the symlinks,\nthe \"*rust*\" headers where not under \"/usr/src/linux-hwe-6.2-headers-6.2.0-35\"\nbut rather under \"/usr/src/linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\", so the\nlowest common path is \"/usr/src/\".\n\nBut this is not ideal since \"/usr/src\" contains other stuff that we don't want\nto mount into the container. What we really want is to create two bind mounts,\none for \"/usr/src/linux-hwe-6.2-headers-6.2.0-35\" and another for\n\"/usr/src/linux-hwe-6.2-lib-rust-6.2.0-35-generic/rust\".\n\nThis commit fixes this. It does so by modifying function CreateMountSpec() in\nutils.go to find the first-level subdirs under \"/usr/src\", and then for each\nsuch subdir, find the lcp among it's lower-level directories.\n\nFYI: I caught this problem while running:\n\n$ docker run --runtime=sysbox-runc -it --rm ghcr.io/nestybox/fedora:31\n\non my Ubuntu Jammy host in which the kernel headers for rust where in a\ndifferent directory (but still under /usr/src) than the rest of the headers.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"More fixes in host kernel header mounting."}},{"before":"5b247dcfa67155613ffd003b8d31dc25a0eb3dcf","after":null,"ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-06-09T17:05:37.817Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"5213e539f1f0f12f75648b9bd047b2797a049187","after":"4b5fb1def9abe6a256cfe62bacaf2a7d333d81d2","ref":"refs/heads/master","pushedAt":"2023-06-09T17:05:33.888Z","pushType":"pr_merge","commitsCount":4,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Increase rootfs monitor polling from 1ms to 50ms.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Increase rootfs monitor polling from 1ms to 50ms."}},{"before":"0e77205812e90e9da0daacef4d83a10b98e4ccc6","after":"5b247dcfa67155613ffd003b8d31dc25a0eb3dcf","ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-06-03T20:04:09.456Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Increase rootfs monitor polling from 1ms to 50ms.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Increase rootfs monitor polling from 1ms to 50ms."}},{"before":"41bf8d69ebb221c8778a3dda75664cd6b2a4eacd","after":"0e77205812e90e9da0daacef4d83a10b98e4ccc6","ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-05-26T18:58:00.814Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Fix rootfs ID-mapping bug exposed by docker -w.\n\nNOTE: for context, refer to the corresponding commit in sysbox-runc.\n\nIn this commit, we adjust sysbox-mgr to track the fact that sysbox-runc\nmay chown the container's rootfs overlay upper layer. This way,\nsysbox-mgr can revert that chown during container stop or pause,\nand re-instate it during container resume (sysbox-runc only\ndoes the chown during container create).\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Fix rootfs ID-mapping bug exposed by docker -w."}},{"before":"4669f5e3735845db3d6ca5f6b5469782f1e4932f","after":"41bf8d69ebb221c8778a3dda75664cd6b2a4eacd","ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-05-24T23:24:39.201Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Reduce effect of disable-inner-image-preload flag.\n\nPrior to this change, the disable-inner-image-preload flag was not only\ndisabling the preloading of inner container images into system containers, but\nalso running of system containers that come with preloaded images.\n\nThe latter creates an incompatibility issue as it causes Sysbox to be unable to\nrun existing system containers that come with preloaded inner images.\n\nThis commit removes this incompatibility. That is, when\n\"--disable-inner-image-preload\" is set to true, a user won't be able to use\n\"docker commit\" or \"docker build\" to preload inner container images into a\nSysbox container. However, the user will continue to be able to run existing\nSysbox container images that come preloaded with inner containers (e.g.,\nnestybox/k8s-node images).\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Reduce effect of disable-inner-image-preload flag."}},{"before":"38e7f3c696d39ea17d07e3d962f74442aa0f3752","after":"4669f5e3735845db3d6ca5f6b5469782f1e4932f","ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-05-24T22:58:41.076Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Replace the rootfs monitor implementation.\n\nThe prior implementation used fsnotify, but was failing to detect rootfs removal\nevents. Replace it with our own custom implementation based on simple polling.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Replace the rootfs monitor implementation."}},{"before":null,"after":"38e7f3c696d39ea17d07e3d962f74442aa0f3752","ref":"refs/heads/rootfs-monitor-fix","pushedAt":"2023-05-22T05:32:36.664Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Replace the rootfs monitor implementation.\n\nThe prior implementation used fsnotify, but was failing to detect rootfs removal\nevents. Replace it with our own custom implementation based on simple polling.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Replace the rootfs monitor implementation."}},{"before":"a6065090abd3afd6e0ace5ba87d8272f474202d1","after":null,"ref":"refs/heads/shiftfs-precheck-fix","pushedAt":"2023-05-05T00:49:03.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"12c1d52e12c61a631c61a6be20b43c71f14c6641","after":"5213e539f1f0f12f75648b9bd047b2797a049187","ref":"refs/heads/master","pushedAt":"2023-05-05T00:49:00.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Ensure permissions of /var/lib/sysbox are restored if precheck fails.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Ensure permissions of /var/lib/sysbox are restored if precheck fails."}},{"before":"572d64756068b65690d854a3a8711743f355bc2d","after":"a6065090abd3afd6e0ace5ba87d8272f474202d1","ref":"refs/heads/shiftfs-precheck-fix","pushedAt":"2023-05-05T00:07:36.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Ensure permissions of /var/lib/sysbox are restored if precheck fails.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Ensure permissions of /var/lib/sysbox are restored if precheck fails."}},{"before":null,"after":"572d64756068b65690d854a3a8711743f355bc2d","ref":"refs/heads/shiftfs-precheck-fix","pushedAt":"2023-05-04T05:53:06.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Fix bug in shiftfs and ID-mapping precheck.\n\nWhen sysbox-mgr starts, it checks if shiftfs and ID-mapping work on the host. It\ndoes this by creating spawning a child process into a Linux user-namespace, and\nhaving the child create a temporary dir under /var/lib/sysbox, and then use it\nto mount shiftfs or ID-mapped mounts.\n\nThe bug is that /var/lib/sysbox is setup by Sysbox with 0710 permissions, and\nthis prevents the child process from performing the test correctly in some\nhosts. The fix is to modify the permissions to 0755 temporarily during the\nshiftfs/ID-mapping precheck, and then back to 0710 once the check completes.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Fix bug in shiftfs and ID-mapping precheck."}},{"before":"ee0af89d8c7b8f2363db050d5cf19d3917b0fdc4","after":"12c1d52e12c61a631c61a6be20b43c71f14c6641","ref":"refs/heads/master","pushedAt":"2023-04-28T12:24:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Add --disable-shiftfs-precheck flag to sysbox-mgr.\n\nSome Sysbox users have reported that the sysbox-mgr's preflight shiftfs\nfunctional check does not always work properly.\n\nThis commit adds a sysbox-mgr command line flag called\n\"--disable-shiftfs-precheck\" which causes Sysbox to skip the preflight check.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Add --disable-shiftfs-precheck flag to sysbox-mgr."}},{"before":"ba99c0e7088f1e1ab51f95551f50de9524176655","after":"ee0af89d8c7b8f2363db050d5cf19d3917b0fdc4","ref":"refs/heads/master","pushedAt":"2023-04-25T17:46:08.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Improve debug logs for container pause/resume.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Improve debug logs for container pause/resume."}},{"before":"f7d6d7a35f08b242466cff1970a1c2436eda9405","after":null,"ref":"refs/heads/ct-dev","pushedAt":"2023-03-22T21:29:19.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"7752a2845af0e47d36828a547c9deebf0a46ba1a","after":"ba99c0e7088f1e1ab51f95551f50de9524176655","ref":"refs/heads/master","pushedAt":"2023-03-22T21:29:14.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Fix bug in chown of sysbox's implicit mounts.\n\nThe prior code was not handling correctly the chown of Sysbox's implicit\ncontainer mounts (e.g., /var/lib/docker, /var/lib/kubelet, etc) during container\nstop/restart and pause/resume, across the different combinations of ID-mapping,\nshiftfs, rootfs cloning, and docker userns-remap.\n\nThis commit, together with a corresponding one in sysbox-runc, fixes this.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Fix bug in chown of sysbox's implicit mounts."}},{"before":null,"after":"f7d6d7a35f08b242466cff1970a1c2436eda9405","ref":"refs/heads/ct-dev","pushedAt":"2023-03-22T05:14:11.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Fix bug in chown of sysbox's implicit mounts.\n\nThe prior code was not handling correctly the chown of Sysbox's implicit\ncontainer mounts (e.g., /var/lib/docker, /var/lib/kubelet, etc) during container\nstop/restart and pause/resume, across the different combinations of ID-mapping,\nshiftfs, rootfs cloning, and docker userns-remap.\n\nThis commit, together with a corresponding one in sysbox-runc, fixes this.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Fix bug in chown of sysbox's implicit mounts."}},{"before":"3624759754d3811070e8318cffaca02642293134","after":null,"ref":"refs/heads/issue-570","pushedAt":"2023-03-17T19:34:52.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"}},{"before":"81961f39ce0d70e633c9099c95d9b1647a16388f","after":"7752a2845af0e47d36828a547c9deebf0a46ba1a","ref":"refs/heads/master","pushedAt":"2023-03-17T19:34:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"ctalledo","name":"Cesar Talledo","path":"/ctalledo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12879624?s=80&v=4"},"commit":{"message":"Simplify rootfs cloning to prevent inode leakage.\n\nNOTE: This commit fixes the inode leakage reported in Sysbox issue 570\nbut has the undesired effect that \"docker build\" or \"docker commits\" with sysbox\nas the default runtime will not work on hosts with kernel < 5.19 and without\nshiftfs. If the host has kernel 5.19+ or uses shiftfs, then everything works\nas usual.\n\nDescription:\n\nPer Sysbox issue 570 (https://github.com/nestybox/sysbox/issues/570), creation\nof sysbox containers on hosts with kernel < 5.19 and without shiftfs results in\ninode leakage.\n\nThat is, when the container is created, inodes are consumed; when the container\nis later destroyed, those inodes are not returned back to host.\n\nThe problem appears to be a kernel or overlayfs issue triggered by Sysbox's\nrootfs cloning code in sysbox-mgr. The rootfs cloning code was creating two\nstacked overlayfs mounts, where the \"merged\" dir of the bottom mount was used as\na lower layer of the top mount. This served two purposes:\n\n* Bottom mount: it was a clone of the container's rootfs overlay mount, but with\n metacopy=on. This allowed sysbox to chown the container's rootfs very quickly\n on container startup and revert the chown on stop.\n\n* Top mount: it used the bottom mount's \"merged\" dir as a lower layer, and acted\n as the container's actual rootfs. This way the container would see the effect\n of the chown in the bottom mount. In addition, the top mount has metacopy=off,\n such that its \"diff\" dir would track changes to the container's filesystem at\n runtime, thereby making container image commit operations (e.g., docker build\n and docker commit) work well.\n\nUnfortunately, the overlayfs stacking causes inode leakage when the container\nstops. It's not clear why, but it appears that the kernel or overlayfs is not\nreleasing the inodes for the bottom mount when the container stops, even though\nno processes exist in the container and sysbox tears down the top and bottom\nmounts (i.e., no processes are using the stacked overlayfs mounts). The inodes\nassociated with the bottom mount become \"orphaned inodes\", which consume storage\nand only get cleaned up upon the host's reboot.\n\nTo work-around the inode leakage problem, this commit gets rid of the overlayfs\nmount stacking, and keeps the bottom mount only. This fixes the inode leakage,\nbut has the UNDESIRED EFFECT THAT \"DOCKER BUILD\" OR \"DOCKER COMMITS\" WITH SYSBOX\nAS THE DEFAULT RUNTIME WILL NOT WORK on hosts with kernel < 5.19 and without\nshiftfs.\n\nThough this is not ideal, it's certainly more important to close the inode\nleakage as that problem occurs when running Sysbox containers and can eventually\nresult in \"out of space\" issues on the host.\n\nSigned-off-by: Cesar Talledo ","shortMessageHtmlLink":"Simplify rootfs cloning to prevent inode leakage."}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEWo0ABgA","startCursor":null,"endCursor":null}},"title":"Activity ยท nestybox/sysbox-mgr"}