Hello, I thought a example of how a overlay sandbox could work was in order.
### # load the overlayfs filesystem for this test modprobe overlay # make the directories for the test mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo # now create a separate mount namespace non-persistent unshare -m bash # setup the overlay mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/ # since I don't care about protecting /var/tmp/portage # put the original on top of the overlay for better performance maybe? mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage # then like the handbook cd /mnt/gentoo mount -t proc proc proc mount --rbind /sys sys mount --rbind /dev dev #finally change into the protected sandbox chroot . bash # mess up the system exit # the chroot exit # the unshare ### done. This version allows the sandbox to work with the special files in /dev, /proc, /sys other options are available for example a second separate dev/pts and dev/shm submounts When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot. Enjoy, Jim McMechan
