atomfs is a tool that can mount OCI images built in the squashfs format as
a read-only overlayfs filesystem that can be used by a container runtime.
For OCI-squashfs images that were created with dm-verity data appended, which stacker does by default, then atomfs will mount each individual squashfs layer using dm-verity before constructing the final overlayfs stack. This ensures the integrity of the contents of the image when mounted, and the use of squashfs removes the window of time between tar extraction and image mounting when an image could be tampered with.
Please find the atomfs library documentation at godoc.
This can be used to mount an OCI+squashfs image. If you are host root, then squashfs will be mounted by the kernel. If you are container root but not host root, then squashfuse will be used.
Example:
atomfs mount containers/oci:minbase:latest mnt
atomfs umount mntLonger example:
$ lxc-usernsexec -s
$ atomfs mount zothub:busybox-squashfs dest
$ ls dest
bin dev etc home lib lib64 root tmp usr var
$ atomfs umount dest
$ mkdir upper
$ atomfs mount --upper=./upper zothub:busybox-squashfs dest
$ ls dest
bin dev etc home lib lib64 root tmp usr var
$ touch dest/ab
$ atomfs umount dest
$ ls upper/
abWe create $mountpoint/meta and pass that to atomfs as the
Metadatapath. We do the readonly atomfs molecule mount
onto $metadir/ro. Then if a readonly mount is requested
$metadir/ro is bind mounted onto $metadir. Otherwise, we create
$metadir/work and $metadir/upper, and use these to do a rw
overlay mount of $metadir/ro onto $mountpoint.
Note that if you simply call umount on the mountpoint, then
you will be left with all the individual squashfs mounts under
dest/mounts/*/.
Note that you do need to be root in your namespace in order to do the final bind or overlay mount. (We could get around this by using fuse-overlay, but creating a namespace seems overall tidy).