On Fri, Sep 22, 2017 at 7:26 PM, Rich Freeman wrote:
>On Fri, Sep 22, 2017 at 6:29 PM, James McMechan
>wrote:
>> On Fri, Sep 22, 2017 at 5:18 PM, Rich Freeman wrote:
>>>On Fri, Sep 22, 2017 at 4:43 PM, James McMechan
>>> wrote:
# now create a separate mount namespace non-persistent
>>
W dniu pią, 22.09.2017 o godzinie 23∶43 +, użytkownik James McMechan
napisał:
> Hello,
> I thought a example of how a overlay sandbox could work was in order.
>
> ###
> # load the overlayfs filesystem for this test
> modprobe overlay
>
> # make the directories for the test
> mkdir -p /var/tmp
On 2017-09-23 19:59, Rich Freeman wrote:
> A read-only container is a much simpler solution and generates the
> same kinds of errors as the current sandbox approach, but likely with
> fewer compatibility issues. I'm not really sure what tracing gets us
> that containers don't, other than having to
On 2017-09-22 22:26, Rich Freeman wrote:
> So, we're drifting in topic, but as long as we're coming up with
> nice-to-have utilities it would be lovely if our install CDs had
> something similar to systemd-nspawn to set up a container instead of a
> chroot for performing the install. If nothing el
On Sat, Sep 23, 2017 at 7:42 PM, Alec Warner wrote:
>
> We could try forcing failures (say, by not having / mounted as lowerdir, so
> syscalls against the rootfs would just fail as E_NOENT) but then we are
> still stuck with the tricky part; which is that sometimes things *do* need
> to read / wri
On Fri, Sep 22, 2017 at 7:43 PM, James McMechan
wrote:
> Hello,
> I thought a example of how a overlay sandbox could work was in order.
>
> ###
> # load the overlayfs filesystem for this test
> modprobe overlay
>
> # make the directories for the test
> mkdir -p /var/tmp/upper /var/tmp/work /mnt/g
On Fri, Sep 22, 2017 at 6:29 PM, James McMechan
wrote:
> On Fri, Sep 22, 2017 at 5:18 PM, Rich Freeman wrote:
>>On Fri, Sep 22, 2017 at 4:43 PM, James McMechan
>> wrote:
>>>
>>> # now create a separate mount namespace non-persistent
>>> unshare -m bash
>>>
>>
>>If you're going to go to the troubl
On Fri, Sep 22, 2017 at 5:18 PM, Rich Freeman wrote:
>On Fri, Sep 22, 2017 at 4:43 PM, James McMechan
> wrote:
>>
>> # now create a separate mount namespace non-persistent
>> unshare -m bash
>>
>
>If you're going to go to the trouble to set up a container, you might
>as well add some more isolatio
On Fri, Sep 22, 2017 at 4:43 PM, James McMechan
wrote:
>
> # now create a separate mount namespace non-persistent
> unshare -m bash
>
If you're going to go to the trouble to set up a container, you might
as well add some more isolation:
unshare --mount --net --pid --uts --cgroup --fork --ipc --m
Hello,
I thought a example of how a overlay sandbox could work was in order.
###
# load the overlayfs filesystem for this test
modprobe overlay
# make the directories for the test
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo
# now create a separate mount namespace non-persistent
unshare -m
10 matches
Mail list logo
