| 1 |
Hello, |
| 2 |
I thought a example of how a overlay sandbox could work was in order. |
| 3 |
|
| 4 |
### |
| 5 |
# load the overlayfs filesystem for this test |
| 6 |
modprobe overlay |
| 7 |
|
| 8 |
# make the directories for the test |
| 9 |
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo |
| 10 |
|
| 11 |
# now create a separate mount namespace non-persistent |
| 12 |
unshare -m bash |
| 13 |
|
| 14 |
# setup the overlay |
| 15 |
mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/ |
| 16 |
|
| 17 |
# since I don't care about protecting /var/tmp/portage |
| 18 |
# put the original on top of the overlay for better performance maybe? |
| 19 |
mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage |
| 20 |
|
| 21 |
# then like the handbook |
| 22 |
cd /mnt/gentoo |
| 23 |
mount -t proc proc proc |
| 24 |
mount --rbind /sys sys |
| 25 |
mount --rbind /dev dev |
| 26 |
|
| 27 |
#finally change into the protected sandbox |
| 28 |
chroot . bash |
| 29 |
|
| 30 |
# mess up the system |
| 31 |
|
| 32 |
exit # the chroot |
| 33 |
exit # the unshare |
| 34 |
### done. |
| 35 |
|
| 36 |
This version allows the sandbox to work with the special files in /dev, /proc, /sys |
| 37 |
other options are available for example a second separate dev/pts and dev/shm submounts |
| 38 |
|
| 39 |
When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot. |
| 40 |
|
| 41 |
Enjoy, |
| 42 |
|
| 43 |
Jim McMechan |
Archives