unprivileged enroot start with fuse-overlayfs stuck because of 10-shadow.sh running cp -Lpr

[elelayan]

Stumbled upon this multiple times: 10-shadow.sh will run cp -Lpr "${ENROOT_ROOTFS}${skel}/." "${ENROOT_ROOTFS}${home}".

to reproduce:

# enroot import -o debian-12.6-slim.squashfs docker://debian:12.6-slim
# sudo -u elelay enroot start  ./debian-12.6-slim.squashfs
(stuck forever)

ps faux:

root     2028977  0.0  0.0  30756   588 pts/1    Ss+  12:05   0:00              |   \_ sudo -u elelay enroot start ./debian-12.6-slim.squashfs
elelay   2028978  0.5  0.0   7984  3620 pts/1    S    12:05   0:00              |       \_ /usr/bin/bash --norc -o braceexpand -o errexit -o hashall -o interactive-comments -o nounset -o pipefail -O checkwinsize -O cmdhist -O complete_fullquote -O extquote -O force_fignore -O globasciiranges -O globskipdots -O hostc
elelay   2029014  0.0  0.0  17428  3328 pts/1    T    12:05   0:00              |           \_ fuse-shim
elelay   2029017  0.6  0.0   5828  2448 pts/1    S    12:05   0:00              |           |   \_ squashfuse -f -o uid=10099,gid=10001 /tmp/debian-12.6-slim.squashfs /run/enroot/elelay/overlay/lower
elelay   2029023  0.9  0.0   5396  2040 pts/1    S    12:05   0:00              |           |   \_ fuse-overlayfs -f -o lowerdir=/run/enroot/elelay/overlay/lower,upperdir=/run/enroot/elelay/overlay/upper,workdir=/run/enroot/elelay/overlay/work /run/enroot/elelay/overlay
elelay   2029036  0.0  0.0   7468  2244 pts/1    S    12:05   0:00              |           \_ /usr/bin/bash --norc -o braceexpand -o errexit -o hashall -o interactive-comments -o nounset -o pipefail -O checkwinsize -O cmdhist -O complete_fullquote -O extquote -O force_fignore -O globasciiranges -O globskipdots -O h
elelay   2029075  0.0  0.0   7072  2756 pts/1    S    12:05   0:00              |               \_ bash /etc/enroot/hooks.d/10-shadow.sh
elelay   2029110  0.0  0.0   6456  1628 pts/1    S    12:05   0:00              |                   \_ cp -Lpr /run/enroot/elelay/overlay/etc/skel/. /run/enroot/elelay/overlay/home/elelay

I have to kill the bash /etc/enroot/hooks.d/10-shadow.sh to stop the container.

Inserting a find $skel -exec ls -alnd '{}' ';' 1>&2 just before the cp -Lpr "${ENROOT_ROOTFS}${skel}/." "${ENROOT_ROOTFS}${home}" in 10-shadow.sh:

drwxr-xr-x 2 65534 65534 5 Aug 21 16:47 /etc/skel
-rw-r--r-- 1 65534 65534 220 Apr 19 00:47 /etc/skel/.bash_logout
-rw-r--r-- 1 65534 65534 75 Aug 21 16:47 /etc/skel/.bashrc
-rw-r--r-- 1 65534 65534 807 Apr 19 00:47 /etc/skel/.profile

Is it something specific to my config?

ENROOT_GZIP_PROGRAM        pigz
# See https://github.com/NVIDIA/pyxis/wiki/Setup for following options
ENROOT_SQUASH_OPTIONS      -noI -noD -noF -noX -no-duplicates
ENROOT_RESTRICT_DEV        y
ENROOT_ROOTFS_WRITABLE     y

I guess this can be disabled by tweaking the image: have CREATE_HOME no in /etc/login.defs or /etc/default/useradd, or remove /etc/skel, but it requires modifying every image to be run by enroot.

I've succeeded in mounting /home early (needs the -1 pass to be mounted before hooks), adding /etc/enroot/mounts.d/30-home.fstab

/home /home none x-create=dir,rbind,rw,nosuid,nodev 0 -1

But it is not necessarily what I want because it mounts ALL user homes in the container (or a predefined one if I use /home/myuser instead).

Is there a better workaround? When does the script make sense?