1 |
Hello, |
2 |
I thought a example of how a overlay sandbox could work was in order. |
3 |
|
4 |
### |
5 |
# load the overlayfs filesystem for this test |
6 |
modprobe overlay |
7 |
|
8 |
# make the directories for the test |
9 |
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo |
10 |
|
11 |
# now create a separate mount namespace non-persistent |
12 |
unshare -m bash |
13 |
|
14 |
# setup the overlay |
15 |
mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/ |
16 |
|
17 |
# since I don't care about protecting /var/tmp/portage |
18 |
# put the original on top of the overlay for better performance maybe? |
19 |
mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage |
20 |
|
21 |
# then like the handbook |
22 |
cd /mnt/gentoo |
23 |
mount -t proc proc proc |
24 |
mount --rbind /sys sys |
25 |
mount --rbind /dev dev |
26 |
|
27 |
#finally change into the protected sandbox |
28 |
chroot . bash |
29 |
|
30 |
# mess up the system |
31 |
|
32 |
exit # the chroot |
33 |
exit # the unshare |
34 |
### done. |
35 |
|
36 |
This version allows the sandbox to work with the special files in /dev, /proc, /sys |
37 |
other options are available for example a second separate dev/pts and dev/shm submounts |
38 |
|
39 |
When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot. |
40 |
|
41 |
Enjoy, |
42 |
|
43 |
Jim McMechan |