Skip to content

mount a overlayfs dir into sysbox's container has nobody:nogroup permission #968

New issue
New issue
Open
Open
mount a overlayfs dir into sysbox's container has nobody:nogroup permission#968
@okhowang

Description

@okhowang
okhowang
opened on Oct 20, 2025

I'm running sysbox v0.6.7 with Docker.

# uname -a
Linux 150-95-142-223 6.8.0-79-generic #79-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 12 14:42:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
# docker version
Client: Docker Engine - Community
 Version:           28.4.0
 API version:       1.51
 Go version:        go1.24.7
 Git commit:        d8eb465
 Built:             Wed Sep  3 20:57:32 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.4.0
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.7
  Git commit:       249d679
  Built:            Wed Sep  3 20:57:32 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

when docker run with mount, if mount dir is a normal dir, it's ok.
but if mount dir is in overlayfs, dir in container will be nobody:nogroup and unwritable.

it looks like same problem with #874

# bash -x test.sh
+ mkdir -p merge lower work upper
+ echo 1
+ mount -t overlay overlay -o index=off,uuid=on,lowerdir=/root/t/lower,upperdir=/root/t/upper,workdir=/root/t/work /root/t/merge
+ docker run -it --rm -v /root/t/merge:/data --runtime sysbox-runc alpine sh -c 'ls -la /data; echo 2 > /data/data2'
total 12
drwxr-xr-x    1 nobody   nobody        4096 Oct 20 07:56 .
drwxr-xr-x    1 root     root          4096 Oct 20 07:56 ..
-rw-r--r--    1 nobody   nobody           2 Oct 20 07:56 data
sh: can't create /data/data2: Permission denied
+ umount merge

test.sh

mkdir -p {merge,lower,work,upper}
echo 1 > lower/data

mount -t overlay overlay -o index=off,uuid=on,lowerdir=$PWD/lower,upperdir=$PWD/upper,workdir=$PWD/work $PWD/merge

docker run -it --rm -v $PWD/merge:/data --runtime sysbox-runc alpine sh -c "ls -la /data; echo 2 > /data/data2"

umount merge

output of sysbox-fs and sysbox-mgr

time="2025-10-20 16:33:38" level=info msg="Starting sysbox-fs"
time="2025-10-20 16:33:38" level=info msg="Edition: Community Edition (CE)"
time="2025-10-20 16:33:38" level=info msg="Version: 0.6.7"
time="2025-10-20 16:33:38" level=info msg="Commit-ID: 6a8d71f54e7570e5297af89ff24ed3bafa61659f"
time="2025-10-20 16:33:38" level=info msg="Initializing with 'allow-immutable-remounts' knob disabled (default)"
time="2025-10-20 16:33:38" level=info msg="Initializing with 'allow-immutable-unmounts' knob enabled (default)"
time="2025-10-20 16:33:38" level=info msg="FUSE dir = /var/lib/sysboxfs"
time="2025-10-20 16:33:38" level=info msg="Host supports writes to /proc/sys/kernel/shm* from user-ns"
time="2025-10-20 16:33:38" level=info msg="IOvec memParser elected"
time="2025-10-20 16:33:38" level=info msg="Listening on /run/sysbox/sysfs.sock"
time="2025-10-20 16:33:38" level=info msg="Ready ..."

time="2025-10-20 16:33:37" level=info msg="Starting sysbox-mgr"
time="2025-10-20 16:33:37" level=info msg="Edition: Community Edition (CE)"
time="2025-10-20 16:33:37" level=info msg="Version: 0.6.7"
time="2025-10-20 16:33:37" level=info msg="Commit-ID: aaeff6c5dc70c137e62166474a309ca5fc42d044"
time="2025-10-20 16:33:37" level=info msg="Sysbox data root: /var/lib/sysbox"
time="2025-10-20 16:33:37" level=info msg="System container mode enabled."
time="2025-10-20 16:33:37" level=info msg="binfmt_misc namespacing supported by kernel; will auto mount it in containers."
time="2025-10-20 16:33:37" level=info msg="Shiftfs module found in kernel: no"
time="2025-10-20 16:33:37" level=info msg="Shiftfs works properly: no"
time="2025-10-20 16:33:37" level=info msg="Shiftfs-on-overlayfs works properly: no"
time="2025-10-20 16:33:37" level=info msg="ID-mapped mounts supported by kernel: yes"
time="2025-10-20 16:33:37" level=info msg="Overlayfs on ID-mapped mounts supported by kernel: yes"
time="2025-10-20 16:33:37" level=info msg="Operating in system container mode."
time="2025-10-20 16:33:37" level=info msg="Relaxed read-only mode disabled."
time="2025-10-20 16:33:37" level=info msg="Inner container image preloading enabled."
time="2025-10-20 16:33:37" level=info msg="Listening on /run/sysbox/sysmgr.sock"
time="2025-10-20 16:33:37" level=info msg="Ready ..."

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions