force_mask affects permissions inside container

[sb604]

Issue Description

Setting storage.options.overlay.force_mask=0700 changes the permissions of files newly created inside a running container. The actual umask is ignored. This is when using fuse-overlayfs. So the issue could be rooted there.

This is only for freshly created files. Thereafter the permissions (inside the container) can be changed using chmod and will be represented accordingly. Outside the container the permission stays as set in force_mask. And the in-container permissions are stored in a xattr.

I stumbled over this, when trying to move my graphroot to a network share (cephfs) when the force_mask is forced to 0700. After some poking around I boiled it down to the example below. So it's not related to moving the graphroot to a network share.

Steps to reproduce the issue

1. storage.conf

~/.config/containers/storage.conf

[storage]
driver="overlay"
[storage.options]
mount_program = "/usr/bin/fuse-overlayfs"
[storage.options.overlay]
force_mask="0700"

2. for good meassure

$ podman system reset

3. try it out

• $ podman run --rm -it ubuntu /bin/bash
• root@02c8ed39eaf8:/# touch foobar
• root@02c8ed39eaf8:/# ls -l foobar

additional info:

• umask inside container was left at default:

root@6c9b13ed70e6:/# umask
0022

Describe the results you received

Permissions of file foobar:
-rwxr-xr-x. 1 root root 0 Oct 29 09:02 foobar

Describe the results you expected

Expected permissions (as without using force_mask):
-rw-r--r--. 1 root root 0 Oct 29 09:03 foobar

podman info output

host:
  arch: amd64
  buildahVersion: 1.32.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 98.63
    systemPercent: 0.79
    userPercent: 0.58
  cpus: 2
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: coreos
    version: "38"
  eventLogger: journald
  freeLocks: 2045
  hostname: core01
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.5.5-200.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2899705856
  memTotal: 4090593280
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.7.0-1.fc38.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.7.0
    package: netavark-1.7.0-1.fc38.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: crun-1.9.2-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.9.2
      commit: 35274d346d2e9ffeacb22cc11590b0266a23d634
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20230908.g05627dc-1.fc38.x86_64
    version: |
      pasta 0^20230908.g05627dc-1.fc38.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.1-1.fc38.x86_64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 64h 41m 55.00s (Approximately 2.67 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.12-1.fc38.x86_64
      Version: |-
        fusermount3 version: 3.14.1
        fuse-overlayfs: version 1.12
        FUSE library version 3.14.1
        using FUSE kernel interface version 7.31
  graphRoot: /var/home/core/.local/share/containers/storage
  graphRootAllocated: 15501078528
  graphRootUsed: 3848003584
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.7.0
  Built: 1695839078
  BuiltTime: Wed Sep 27 18:24:38 2023
  GitCommit: ""
  GoVersion: go1.20.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.7.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[rhatdan]

@giuseppe PTAL

[giuseppe]

opened a PR: #408

[sb604]

@giuseppe thx for providing the PR. It indeed fixes the described issue. But there seems to be more to it:

TL;DR: syscall mkdir("/foobar", 0700) results in new directory with permissions 0755 which shouldn't be.

I stumbled upon this issue while setting up a samba container (ghcr.io/servercontainers/samba:smbd-only-latest) using a network share as graphroot. Then I boiled it down to the described minimal reproducible example. This example is working now. But the issue with my samba container ist still there.

To be clear: without force_mask=0700 it is working.

Using force_mask=0700 leads to this error while starting the smbd daemon:

[2023/10/30 15:25:08.517288,  0] ../../source3/smbd/server.c:1746(main)
  smbd version 4.18.5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2023
[2023/10/30 15:25:08.519327,  0] ../../lib/util/util.c:345(directory_create_or_exist_strict)
  invalid permissions on directory '/var/lib/samba/private/msg.sock': has 0755 should be 0700

directory contents before starting smbd:

/ # ls -l /var/lib/samba/private
total 424
-rw-------    1 root     root        430080 Oct 30 16:12 secrets.tdb
-rw-------    1 root     root           106 Oct 30 16:12 smbpasswd

after trying to start smbd:

/ # ls -l /var/lib/samba/private
total 424
drwxr-xr-x    2 root     root            42 Oct 30 15:27 msg.sock
-rw-------    1 root     root        430080 Oct 30 15:26 secrets.tdb
-rw-------    1 root     root           106 Oct 30 15:26 smbpasswd

STRACE

/ # apk add strace
/ # strace smbd --foreground
[...]
umask(000)                              = 000
mkdir("/var/lib/samba/private/msg.sock", 0700) = 0
umask(000)                              = 000
lstat("/var/lib/samba/private/msg.sock", {st_mode=S_IFDIR|0755, st_size=42, ...}) = 0
geteuid()                               = 0
writev(3, [{iov_base="[2023/10/30 15:28:36.223197,  0]"..., iov_len=93}, {iov_base="  invalid permissions on directo"..., iov_len=94}], 2[2023/10/30 15:28:36.223197,  0] ../../lib/util/util.c:345(directory_create_or_exist_strict)
  invalid permissions on directory '/var/lib/samba/private/msg.sock': has 0755 should be 0700
) = 187
[...]

It appears smbd tries to create /var/lib/samba/private/msg.sock with 0700 but gets 0755 instead.
I tried to recreate this by using mkdir -m 700 foobar but strace reveals that mkdir -m uses mkdir(3) followed by chmod(3). This is working.

So I did it the hard way:

# apk add vim
# apk add alpine-sdk
# vim main.c

#include <sys/stat.h>

void main() {
mkdir("/foobar", 0700);
}

/ #  gcc main.c
/ # rmdir foobar/
/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffe700c1820 /* 11 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fbe4e611b48) = 0
set_tid_address(0x7fbe4e611fb8)         = 186
brk(NULL)                               = 0x562caf6d1000
brk(0x562caf6d3000)                     = 0x562caf6d3000
mmap(0x562caf6d1000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x562caf6d1000
mprotect(0x7fbe4e60e000, 4096, PROT_READ) = 0
mprotect(0x562cad79a000, 4096, PROT_READ) = 0
mkdir("/foobar", 0700)                  = 0
exit_group(0)                           = ?
+++ exited with 0 +++
# ls -l
drwxr-xr-x    2 root     root            42 Oct 30 15:38 foobar

The created directory should have permissions set to 0700. But it doesn't. ¯\(ツ)/¯

This is with using the fuse-overlayfs version from the PR (https://github.com/containers/fuse-overlayfs/actions/runs/6689710902#artifacts).

And some bonus info:

#include <sys/stat.h>
#include <fcntl.h>

void main() {

        mkdir("/foobar", 0777);
        open("/foobar.txt", O_CLOEXEC|O_CREAT,  0600);
}

-rw-------    1 root     root             0 Oct 30 16:02 foobar.txt

So it seams to work for files. At least with open()

[giuseppe]

thanks for the extra information. Could you check if #409 solves the problem with directories?

[sb604]

EDIT: I messed something up in an earlier version of this comment. Just re-read it.

The problem regarding creating new directories described above is now solved. But there is more:

no force_mask, works as is should:

$ podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # ls -l /var/lib/
drwxr-xr-x    5 root     root            51 Oct  5 13:56 samba
/ # adduser -D -H -u "1000" -s /bin/false "testaccount"
/ # smbpasswd -a -n "testaccount"
/ # ls -l /var/lib/
drwxr-xr-x    5 root     root            72 Oct 31 09:13 samba

with foce_mask=0700 (fuse-overlayfs from #409)

$ podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # ls -l /var/lib/
drwxr-xr-x    5 root     root            51 Oct  5 13:56 samba
/ # adduser -D -H -u "1000" -s /bin/false "testaccount"
/ # smbpasswd -a -n "testaccount"
/ # ls -l /var/lib/
drwx------    5 root     root            72 Oct 31 09:09 samba

What's difference? The directory /var/lib/samba changes permissions from 0755 to 0700 after calling smbpasswd. But it should not be changed. Without force_mask it doesn't change.

I was able to reproduce it by doing this:

#include <fcntl.h>

void main() {
  open("/var/lib/samba/private/foobar.txt",  O_RDWR|O_CREAT|O_LARGEFILE|O_CLOEXEC,  0600);
}

/ # ls -l /var/lib/
total 0
drwxr-xr-x    2 root     root             6 Sep 28 11:18 apk
drwxr-xr-x    2 root     root             6 Sep 28 11:18 misc
drwxr-xr-x    5 root     root            51 Oct  5 13:56 samba
drwxr-xr-x    2 root     root             6 Sep 28 11:18 udhcpd
/ # gcc main.c
/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7fff021d20a0 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fa521600b48) = 0
set_tid_address(0x7fa521600fb8)         = 27
brk(NULL)                               = 0x56067cbf0000
brk(0x56067cbf2000)                     = 0x56067cbf2000
mmap(0x56067cbf0000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x56067cbf0000
mprotect(0x7fa5215fd000, 4096, PROT_READ) = 0
mprotect(0x56067b367000, 4096, PROT_READ) = 0
open("/var/lib/samba/private/foobar.txt", O_RDWR|O_CREAT|O_LARGEFILE|O_CLOEXEC, 0600) = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
exit_group(3)                           = ?
+++ exited with 3 +++
ls -l /var/lib/
/ # ls -l /var/lib/
total 0
drwxr-xr-x    2 root     root             6 Sep 28 11:18 apk
drwxr-xr-x    2 root     root             6 Sep 28 11:18 misc
drwx------    5 root     root            21 Oct 31 11:30 samba
drwxr-xr-x    2 root     root             6 Sep 28 11:18 udhcpd

Creating a new file under /var/lib/samba/private changes permissions of /var/lib/samba....

[sb604]

@rhatdan Would it make sense to re-open this issue as it is clearly not solved yet?

[giuseppe]

thanks for the additional feedback. Opened a new PR: #410

[sb604]

It's still not working:

with out force_mask

/ # /container/scripts/entrypoint.sh
/ # smbd -i --foreground
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
INFO: Profiling support unavailable in this build.
daemon_status: daemon 'smbd' : Starting process ...
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
^C

/ #   ls -l /var/run/samba/ncalrpc/
total 0
drwx------    2 root     root            26 Nov  2 09:17 np

with force_mask=0700

$  podman run --name samba --rm -it --entrypoint=/bin/sh ghcr.io/servercontainers/samba:smbd-only-latest
/ # apk add strace
/ # ls -l /var/run/samba/
total 0
/ # /container/scripts/entrypoint.sh
/ # strace smbd -i --foreground
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
INFO: Profiling support unavailable in this build.
daemon_status: daemon 'smbd' : Starting process ...
startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
invalid permissions on directory '/var/run/samba/ncalrpc/np': has 0755 should be 0700
Failed to create pipe directory /var/run/samba/ncalrpc/np - File exists

[...]
umask(000)                              = 000
mkdir("/var/run/samba/ncalrpc", 0755)   = 0
umask(000)                              = 000
geteuid()                               = 0
umask(000)                              = 000
mkdir("/var/run/samba/ncalrpc/np", 0700) = 0
umask(000)                              = 000
lstat("/var/run/samba/ncalrpc/np", {st_mode=S_IFDIR|0755, st_size=26, ...}) = 0
[...]


/ # strace stat /var/run/samba/ncalrpc/np
execve("/bin/stat", ["stat", "/var/run/samba/ncalrpc/np"], 0x7fff460424f8 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7ff78a7d8b48) = 0
set_tid_address(0x7ff78a7d8fb8)         = 49
brk(NULL)                               = 0x557c8babd000
brk(0x557c8babf000)                     = 0x557c8babf000
mmap(0x557c8babd000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x557c8babd000
mprotect(0x7ff78a7d5000, 4096, PROT_READ) = 0
mprotect(0x557c8ac69000, 16384, PROT_READ) = 0
getuid()                                = 0
lstat("/var/run/samba/ncalrpc/np", {st_mode=S_IFDIR|0700, st_size=26, ...}) = 0

/ #  ls -l /var/run/samba/
total 4
drwxr-xr-x    3 root     root            52 Nov  2 09:14 ncalrpc
-rw-r--r--    1 root     root             3 Nov  2 09:14 smbd.pid
/ #  ls -l /var/run/samba/ncalrpc/
total 0
drwx------    2 root     root            26 Nov  2 09:14 np

smbd creates /var/run/samba/ncalrpc/npwith 0700 but lstat() comes back with 0755 immediatly after creation. Running staton the shell then gives the correct result.

[sb604]

I was able to reproduce this:

#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdio.h>


void main() {
  struct stat sb;

  mkdir("/var/run/samba/ncalrpc/foobar",  0700);
  lstat("/var/run/samba/ncalrpc/foobar", &sb);
  printf("Mode: %lo (octal)\n", (unsigned long) sb.st_mode);
}

/ # strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffe36bde770 /* 7 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fd2c5be7b48) = 0
set_tid_address(0x7fd2c5be7fb8)         = 115
brk(NULL)                               = 0x56205faa4000
brk(0x56205faa6000)                     = 0x56205faa6000
mmap(0x56205faa4000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x56205faa4000
mprotect(0x7fd2c5be4000, 4096, PROT_READ) = 0
mprotect(0x56205eaf5000, 4096, PROT_READ) = 0
mkdir("/var/run/samba/ncalrpc/foobar", 0700) = 0
lstat("/var/run/samba/ncalrpc/foobar", {st_mode=S_IFDIR|0755, st_size=26, ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=70, ws_col=237, ws_xpixel=32766, ws_ypixel=0}) = 0
writev(1, [{iov_base="Mode: 40755", iov_len=11}, {iov_base=" (octal)\n", iov_len=9}], 2Mode: 40755 (octal)
) = 20
exit_group(0)                           = ?
+++ exited with 0 +++
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------    2 root     root            26 Nov  2 09:37 foobar
drwx------    2 root     root            26 Nov  2 09:19 np

what is even more interresting:

/ # stat /var/run/samba/ncalrpc/foobar
  File: /var/run/samba/ncalrpc/foobar
  Size: 26              Blocks: 0          IO Block: 4096   directory
Device: 35h/53d Inode: 672490      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-11-02 09:40:22.351640341 +0000
Modify: 2023-11-02 09:40:22.351640341 +0000
Change: 2023-11-02 09:40:22.351640341 +0000
/ # ls -l /var/run/samba/ncalrpc/
total 0
drwx------    2 root     root            26 Nov  2 09:40 foobar
drwx------    2 root     root            26 Nov  2 09:19 np

Now foobar is 0755 and 0700 at the same time. As it turns out /var/run is a symlink to /run. Here we get the correct results:
So I guess symlinks are not handled correctly.

 # ls -l /run/samba/ncalrpc/
total 0
drwx------    2 root     root            26 Nov  2 09:40 foobar
drwx------    2 root     root            26 Nov  2 09:19 np
#  stat /run/samba/ncalrpc/np/
  File: /run/samba/ncalrpc/np/
  Size: 26              Blocks: 0          IO Block: 4096   directory
Device: 35h/53d Inode: 3168480     Links: 2
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-11-02 09:19:59.495178941 +0000
Modify: 2023-11-02 09:19:59.495178941 +0000
Change: 2023-11-02 09:19:59.495178941 +0000

[giuseppe]

thanks, added a new patch to the open PR.

I've tried running your container image and it seems to work fine now:

$ podman run --name samba --rm -it ghcr.io/servercontainers/samba:smbd-only-latest
################################################################################

Welcome to the ghcr.io/servercontainers/samba

################################################################################

You'll find this container sourcecode here:

    https://github.com/ServerContainers/samba

The container repository will be updated regularly.

################################################################################


mkdir: can't create directory '/var/run/samba': File exists
>> CONTAINER: starting initialisation
cp: can't stat '/container/config/avahi/samba.service': No such file or directory
>> SAMBA CONFIG: no $SAMBA_CONF_LOG_LEVEL set, using '1'
>> SAMBA CONFIG: no $SAMBA_CONF_WORKGROUP set, using 'WORKGROUP'
>> SAMBA CONFIG: no $SAMBA_CONF_SERVER_STRING set, using 'Samba Server'
>> SAMBA CONFIG: no $SAMBA_CONF_MAP_TO_GUEST set, using 'Bad User'
  >> AVAHI: zeroconf model: TimeCapsule
/container/scripts/entrypoint.sh: line 157: can't create /etc/avahi/services/samba.service: nonexistent directory
>> ZEROCONF: samba.service file
############################### START ####################################
cat: can't open '/etc/avahi/services/samba.service': No such file or directory
################################ END #####################################
>> EXTERNAL AVAHI: found external avahi, now maintaining avahi service file 'samba.service'
>> EXTERNAL AVAHI: internal avahi gets disabled
cp: can't stat '/etc/avahi/services/samba.service': No such file or directory
chmod: /external/avahi/samba.service: No such file or directory
>> EXTERNAL AVAHI: list of services
ls: /external/avahi/*.service: No such file or directory

>> SAMBA: check smb.conf file using 'testparm -s'
############################### START ####################################
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

# Global parameters
[global]
	dns proxy = No
	load printers = No
	log file = /dev/stdout
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = smbpasswd
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server string = Samba Server
	smb1 unix extensions = No
	fruit:aapl = yes
	fruit:model = TimeCapsule
	idmap config * : backend = tdb
	acl allow execute always = Yes
	vfs objects = catia fruit streams_xattr
	wide links = Yes
############################### END ####################################


>> SAMBA: print whole smb.conf
############################### START ####################################
[global]
   server role = standalone server
   log file = /dev/stdout
   dns proxy = no 

   # password stuff
   passdb backend = smbpasswd

   obey pam restrictions = yes
   security = user
   printcap name = /dev/null
   load printers = no
   dns proxy = no
   wide links = yes
   follow symlinks = yes
   unix extensions = no
   acl allow execute always = yes

   # MacOS Compatibility options
   vfs objects = catia fruit streams_xattr

   # Special configuration for Apple's Time Machine
   fruit:model = TimeCapsule
   fruit:aapl = yes

   # Docker Envs global config options
   log level = 1
   workgroup = WORKGROUP
   server string = Samba Server
   map to guest = Bad User

############################### END ####################################

>> CMD: exec docker CMD
runsvdir -P /container/config/runit
+ + sleepsleep 2 6

+ exec smbd --foreground
[2023/11/02 00:52:22.821783,  0] ../../source3/smbd/server.c:1746(main)
  smbd version 4.18.5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2023
[2023/11/02 00:52:22.825254,  1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2023/11/02 00:52:22.856029,  0] ../../source3/passdb/pdb_smbpasswd.c:249(startsmbfilepwent)
  startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.
+ exec nmbd --foreground

What other tests can I do to make sure it will fix your use case?

[sb604]

Thank you very much @giuseppe my samba container ist working now.

This whole issue got me thinking... I went ahead and looked for some filesystem testsuit and found this: musikid/pjd

Running it on my underlying cephfs results in no errors. Running it on fuse-overlayfs backed by cephfs shows some issues:

Tests: 68 failed, 35 skipped, 282 passed, 385 total

Maybe you wanna look into it and include it in your build pipeline. I can't really judge which of those test cases are even relevant.