-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Supporting modifications to a read-only rootfs #1594
Comments
the traditional way of handling it, as you've pointed out, is to create an overlay mount and then use it as the path for root. I am not against adding this possibility to crun if anyone cares to implement it, but it is quite easy to do externally, and if you care about "auto cleanup", you can unshare a mount namespace first and create the overlay mount there. |
Hey, this is because I have no idea what I am doing, but what does this "quite easy" actually entail?
If I unshare a mount namespace (mapping myself to root, as I can not mount the overlayfs otherwise) crun does not start with Ideally I could manage the containers from outside the namespace, so it would be nice if that re-used the UID of the original outside user (e.g. 1000).
This seems to work:
and in a different terminal on the host
This sounds completely broken, so how exactly is this supposed to work instead? EDIT: The reason I can not just create an overlayfs outside is that I am not root, so it needs to be done in a user namespace instead. |
(This is more of a question, but I wasn't sure where to post this other than the issue tracker.)
I'm trying to use
crun
as the back-end for a sandboxing tool that makes it possible to modify a container's root filesystem, optionally persisting the changes into a separate user directory. I'm having some trouble mapping that onto an OCI bundle that works with `crun.First of all, as per the spec the
root
key is mandatory, but since I don't actually want to mutate the sources of therootfs
I'm settingreadonly=true
.I figured I could then (kind of redundantly) mount the root again, but now using an
overlay
mount to persist the changes:crun
doesn't accept that, however. Well, more specifically the overlay mount fails withEINVAL
.Looking at a bundle generated by Docker, which supports this, the
root
is actually writable and pointing to e.g. a btrfs subvolume. I would like to avoid that, because it requires the caller to set-up an overlay-like mechanism to make the root writable, while I'd prefercrun
to handle all that (with the added benefit of easy clean-up when the container exits). Is this possible, or outside of the scope ofcrun
? Any other suggestions would be appreciated as well!The text was updated successfully, but these errors were encountered: