Phala-Network · kvinwang · Mar 4, 2026
diff --git a/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch b/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wang <kvin@phala.network>
+Date: Tue, 4 Mar 2026 00:00:00 +0000
+Subject: [PATCH] overlayfs: add FS_ALLOW_IDMAP to enable idmapped mounts
+
+Overlayfs already has comprehensive support for idmapped mounts through
+its handling of idmapped layers (since 5.19), but it is missing the
+FS_ALLOW_IDMAP flag on ovl_fs_type.  Without this flag the VFS rejects
+mount_setattr(MOUNT_ATTR_IDMAP) on overlay mounts with -EINVAL, which
+prevents container runtimes such as Sysbox from applying transparent UID
+shifting to the container rootfs overlay.
+
+Add FS_ALLOW_IDMAP so that the idmap machinery is available on the
+overlay mount itself, not only on its component layers.
+
+Upstream-Status: Submitted [https://lkml.org/lkml/2025/8/15/1218]
+Signed-off-by: Kevin Wang <kvin@phala.network>
+---
+ fs/overlayfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 1a530c5a4e02..b7d8e5c91234 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1484,7 +1484,7 @@ struct file_system_type ovl_fs_type = {
+ 	.name			= "overlay",
+ 	.init_fs_context	= ovl_init_fs_context,
+ 	.parameters		= ovl_parameter_spec,
+-	.fs_flags		= FS_USERNS_MOUNT,
++	.fs_flags		= FS_USERNS_MOUNT | FS_ALLOW_IDMAP,
+ 	.kill_sb		= kill_anon_super,
+ };
+ MODULE_ALIAS_FS("overlay");
+--
+2.46.0
diff --git a/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb b/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb
@@ -16,6 +16,7 @@ DEPENDS += "libyaml-native openssl-native util-linux-native elfutils-native"
 SRC_URI = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${PV}.tar.xz;downloadfilename=linux-${PV}.tar.xz \
            file://defconfig \
            file://0001-x86-tdx-select-dma-direct-remap.patch \
+           file://0002-overlayfs-enable-idmapped-mounts.patch \
 "
 
 SRC_URI[sha256sum] = "8ecfbc6b693448abb46144a8d04d1e1631639c7661c1088425a2e5406f13c69c"

diff --git a/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb b/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb
@@ -16,6 +16,7 @@ DEPENDS += "libyaml-native openssl-native util-linux-native elfutils-native"
 SRC_URI = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${PV}.tar.xz;downloadfilename=linux-${PV}.tar.xz \
            file://defconfig \
            file://0001-x86-tdx-select-dma-direct-remap.patch \
+           file://0002-overlayfs-enable-idmapped-mounts.patch \
 "
 
 SRC_URI[sha256sum] = "b726a4d15cf9ae06219b56d87820776e34d89fbc137e55fb54a9b9c3015b8f1e"

diff --git a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
@@ -9,7 +9,8 @@ SRC_URI += "file://dstack-docker.cfg \
             file://dstack-sysbox.cfg \
             file://dstack-sysbox.scc \
             file://dstack.cfg \
-            file://dstack.scc"
+            file://dstack.scc \
+            file://0002-overlayfs-enable-idmapped-mounts.patch"
 
 KERNEL_FEATURES:append = " features/cgroups/cgroups.scc \
                           features/overlayfs/overlayfs.scc \