Question: Supporting modifications to a read-only rootfs

[maleadt]

(This is more of a question, but I wasn't sure where to post this other than the issue tracker.)

I'm trying to use crun as the back-end for a sandboxing tool that makes it possible to modify a container's root filesystem, optionally persisting the changes into a separate user directory. I'm having some trouble mapping that onto an OCI bundle that works with `crun.

First of all, as per the spec the root key is mandatory, but since I don't actually want to mutate the sources of the rootfs I'm setting readonly=true.

I figured I could then (kind of redundantly) mount the root again, but now using an overlay mount to persist the changes:

"root": {
    "path": "/rootfs",
    "readonly": true
},
"mounts": [
    {
        "destination": "/",
        "type": "overlay",
        "options": [
            "lowerdir=/rootfs",
            "upperdir=/overlay/upper",
            "workdir=/overlay/work",
            "userxattr"
        ]
    },
]

crun doesn't accept that, however. Well, more specifically the overlay mount fails with EINVAL.

Looking at a bundle generated by Docker, which supports this, the root is actually writable and pointing to e.g. a btrfs subvolume. I would like to avoid that, because it requires the caller to set-up an overlay-like mechanism to make the root writable, while I'd prefer crun to handle all that (with the added benefit of easy clean-up when the container exits). Is this possible, or outside of the scope of crun? Any other suggestions would be appreciated as well!

[giuseppe]

the traditional way of handling it, as you've pointed out, is to create an overlay mount and then use it as the path for root.

I am not against adding this possibility to crun if anyone cares to implement it, but it is quite easy to do externally, and if you care about "auto cleanup", you can unshare a mount namespace first and create the overlay mount there.