On Sat, Sep 23, 2017 at 7:42 PM, Alec Warner <anta...@gentoo.org> wrote: > > We could try forcing failures (say, by not having / mounted as lowerdir, so > syscalls against the rootfs would just fail as E_NOENT) but then we are > still stuck with the tricky part; which is that sometimes things *do* need > to read / write from the rootfs and the sandbox add* API is available to do > that. How would we implement something like that here? >
I would personally recommend against the overlay approach for all the reasons you state. A read-only container is a much simpler solution and generates the same kinds of errors as the current sandbox approach, but likely with fewer compatibility issues. I'm not really sure what tracing gets us that containers don't, other than having to make sure you trap everything and handle it. The kernel already handles attempts to write to read-only files and so on. We could add an API to designate specific files/directories/etc as read-write, and then portage would bind mount them as writable in the container. -- Rich
