diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:13 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:13 +0100 |
| commit | 1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f (patch) | |
| tree | b3e5c39fcbcf2a95e1df5b3cf05ac1f150ca6b3a /meta | |
| parent | 88e152d3fe8174f1a2ba338714ceba1cb73ffa40 (diff) | |
| download | dotfiles-1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f.tar.gz dotfiles-1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f.tar.bz2 dotfiles-1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f.zip | |
fix(hardened): restore podman compatibility on linux-hardened
Two breakages observed on first linux-hardened boot:
1. `podman run` failed because linux-hardened sets
kernel.unprivileged_userns_clone=0 by default (stock linux: 1).
Rootless podman requires unprivileged user namespaces. Restoring
the stock-kernel default via sysctl — this is a documented hardened
knob meant to be flipped back if you actually use rootless
containers. No-op on stock kernel.
2. "kernel does not support overlay fs: 'overlay' is not supported over
btrfs". Kernel overlayfs cannot use a btrfs subvolume as lowerdir;
podman needs fuse-overlayfs as the user-mode shim. ~10-30% slower
I/O than native overlay but works correctly and is the upstream
recommendation for btrfs-backed rootless storage.
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/base.txt | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/meta/base.txt b/meta/base.txt index 1f7cdd8..1cb96dc 100644 --- a/meta/base.txt +++ b/meta/base.txt @@ -75,6 +75,10 @@ nix perf # links against running kernel ABI; must match kernel pkg podman-compose podman-docker +fuse-overlayfs # podman rootless storage driver on btrfs (kernel overlayfs + # doesn't support btrfs as a lower dir; podman falls back to + # vfs which is unusable). ~10-30% slower than native overlay + # but unavoidable as long as ~/.local/share/containers is on btrfs. # --- sound --- alsa-utils |