You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are important features that it doesn't provide:
In some situations the user and group of the files and folders of the overlayfs mount is nobody. This prevents one from mounting further files and directories on top.
Adding new files and directories without creating a host tree.
Hiding files and directories of a layer.
To solve 1. it's possible to create a layer which has directories and files with the right user, group and permissions at the mount points. Doing so is possible right now but requires the layer to live on the host.
Some users of bwrap exec bwrap and disappear, without a daemon or anything else left running. All the cleanup of resources must be done automatically by the kernel. Creating a filesystem tree that acts as an overlayfs layer on the host is therefore not a possibility.
There are two ways I can think of how to handle this:
Create the layer inside the /newroot with the usual --file--dir etc. parameters, then add a new --overlay-src-inside option which allows to add the layer from /newroot to the overlayfs, then possibly mount over the layer tree to prevent modification. Example: --dir /tmp/overlay/x --overlay-src lower --overlay-src-inside /tmp/overlay --ro-overlay /mnt --tmpfs /tmp/overlay makes it possible to mount on /mnt/x no matter what the lower level contains.
Create a new layer in /overlay-n (not /newroot, not /oldroot) whenever there are --file or --dir arguments interspersed between --overlay-src and other overlay arguments. The --file and --dir arguments then populate the layer instead of /newroot. Example: --overlay-src lower --dir /x --ro-overlay /mnt is identical to the example in 1.
Solving 3. requires creating a character device with 0/0 device number for whiteout and setting the xattr "trusted.overlay.opaque" of a directory to "y" for an opaque directory (i.e. not merging with lower levels). We could add new arguments for both. If we go with option 1, we have to allow creating them anywhere in /newroot, whereas option 2 would allow us to create them only on overlay layers in /overlay-n. Example: --overlay-src lower --dir /x --whiteout /y --opaque-dir /z --ro-overlay /mnt
e: option 2 doesn't work for creating files and directories in the lowest layer. Maybe we need separate options --overlay-file, --overlay-dir, --overlay-opaque-dir and --overlay-whiteout.
#547 adds support for overlayfs mounts.
There are important features that it doesn't provide:
To solve 1. it's possible to create a layer which has directories and files with the right user, group and permissions at the mount points. Doing so is possible right now but requires the layer to live on the host.
Some users of bwrap exec bwrap and disappear, without a daemon or anything else left running. All the cleanup of resources must be done automatically by the kernel. Creating a filesystem tree that acts as an overlayfs layer on the host is therefore not a possibility.
There are two ways I can think of how to handle this:
--file
--dir
etc. parameters, then add a new--overlay-src-inside
option which allows to add the layer from /newroot to the overlayfs, then possibly mount over the layer tree to prevent modification. Example:--dir /tmp/overlay/x --overlay-src lower --overlay-src-inside /tmp/overlay --ro-overlay /mnt --tmpfs /tmp/overlay
makes it possible to mount on/mnt/x
no matter what the lower level contains./overlay-n
(not /newroot, not /oldroot) whenever there are--file
or--dir
arguments interspersed between--overlay-src
and other overlay arguments. The--file
and--dir
arguments then populate the layer instead of/newroot
. Example:--overlay-src lower --dir /x --ro-overlay /mnt
is identical to the example in 1.Solving 3. requires creating a character device with 0/0 device number for whiteout and setting the xattr "trusted.overlay.opaque" of a directory to "y" for an opaque directory (i.e. not merging with lower levels). We could add new arguments for both. If we go with option 1, we have to allow creating them anywhere in /newroot, whereas option 2 would allow us to create them only on overlay layers in
/overlay-n
. Example:--overlay-src lower --dir /x --whiteout /y --opaque-dir /z --ro-overlay /mnt
I have an implementation for option 1 here https://github.com/swick/bubblewrap/tree/wip/overlayfs but I'm open to implementing option 2 if others think that's the better approach.
e: option 2 doesn't work for creating files and directories in the lowest layer. Maybe we need separate options
--overlay-file
,--overlay-dir
,--overlay-opaque-dir
and--overlay-whiteout
.@rhendric @smcv @alexlarsson
The text was updated successfully, but these errors were encountered: