4

I'm using overlayFS to create a sort of simple experimental sandboxing. I think I understand how it works:

  • lower layer should be always mounted R/O
  • upper layer is where all changes happen
  • work layer is for transactional reasons
  • target is where all merged lower + upper go

As example, I have a physical disk mounted on /disk2. Then I want to overlay to preserve the contents, so I can do something like:

mount("overlay", "/disk2", "overlay", MS_MGC_VAL, "lowerdir=/disk2,upperdir=./upper,workdir=./work");

This works just fine: when my new process tries to amend content under /disk2, then it will only amend in reality under upper: this is indeed working as intended. For example, I can also see the 0, 0 files to show that something is deleted in the upper but not in the lower.

Unfortunately looks like I can't somehow overlay on root /: if I execute the following code:

mount("overlay", "/", "overlay", MS_MGC_VAL, "lowerdir=/disk2,upperdir=./upper,workdir=./work")

I can still see the whole real / and when I write files, they get written in their real (i.e. lower) location, not in the upper one.

What am I doing wrong here?

I am on kernel 4.4.0-53.

Emanuele
  • 1,408
  • 1
  • 15
  • 39
  • 2
    An overlay root file system needs to be performed by init (or systemd or earlier) to ensure that all processes would use this `/`, rather than the `/` of the real device. All processes have an inherent concept of `/`, and you can't alter it once the process has been created (I'm open to correction on this). You should look at details of [overlayroot](https://github.com/chesty/overlayroot) [blog posting](https://spin.atomicobject.com/2015/03/10/protecting-ubuntu-root-filesystem/). – Anya Shenanigans Dec 13 '16 at 11:28
  • @petesh Not sure how much it helps because I need to do this dynamically after the _clone_ call in C code. Will have a look nonetheless. – Emanuele Dec 13 '16 at 11:44
  • I remember a presentation by a company at the euro linuxcon from last year in Dublin which used something like that - I can only remember the presentation happened - names evade me at the moment. You may be able to find something online related to it. – Anya Shenanigans Dec 13 '16 at 14:07
  • 3
    If you can run 'init' from an initramfs, mount your read-only "real" root partition and your writable partition some where in the initramfs file system. I'm doing this on a system I maintain with a command along the lines of `mount -t overlayfs none -o lowerdir=$ro_rootfs,upperdir=$writeable /mnt/overlayfs`. After that point, you may need to do some bind-mounts of your proc, sysfs, and devfs into /mnt/overlay, and then `exec chroot /mnt/overlay /init` to kick of the "real" init. Like @Petesh was getting at, this is how you alter the location of `/` for everything forked from `init`. – Brian McFarland Dec 13 '16 at 18:12
  • Related: https://unix.stackexchange.com/questions/316018/how-to-use-overlayfs-to-protect-the-root-filesystem – Ciro Santilli OurBigBook.com Mar 17 '18 at 11:30

2 Answers2

-1

According to what I've read I don't think it's possible to programmatically do this once the system is started.

Emanuele
  • 1,408
  • 1
  • 15
  • 39
-1

prior-art: If you like one, then this is not for you...

ex. ...previous / partition: /dev/nvme3n2

save your root partition to an image file (ie... dd if=/dev/nvme3n2 of=/free_2_be/2022-12-11-awesome.im bs=44M oflag=direct status=progress)

mount the overlay filesystem to '/' (REALLY not necessary in init *(1) ); then initiate pivot_root ...glory.

** realize that you can never go back if you choose switch_root ...now, don't not never say that nobody didn't provide you with a disclaimer. In regard to the site's privacy policy and whatnot: viking created the word 'law' **

*(1) derived inference from a retrospective regarding that kind of overlay in init, indicates that that kind of thing, in that circumstance, is a problem.

1pf1
  • 1
  • 2
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 21 '22 at 09:46