On Mon, Sep 25, 2017 at 11:27 AM, Martin Vaeth <mar...@mvath.de> wrote:
> Rich Freeman <ri...@gentoo.org> wrote:
>>
>> I wouldn't be surprised if it works with a single bind mount with
>> /proc and /dev and so on mounted on top of that.
>
> Either you start with a writable tree and bind-mount some directories
> non-writable or the opposite way. Either way, a dozen or so bind-mounts
> are minimally necessary.
>
/proc, /sys, and /dev wouldn't be bind mounts. They're just mounts.
And everything else would be pulled in with a read-only bind mount of
/.
You're going to need the same mounts of /proc, /sys, and /dev on an
overlay, unless you really wanted to let those pass through, which
seems like a bad idea.
>> You say "not even a bind" as if that is a benefit.
>
> In case the "non-scaling" argument has not become clear,
> I try to visualize it by a table:
>
> | "simple" | "fine grained"
> ---------+----------------+-------------------
> Overlay | 1 mount | 1 mount
> ---------+----------------+-------------------
> Container| 10? bind mounts| 1000? bind mounts
Except it is more like:
| "simple" | "fine grained"
---------+----------------+-------------------
Overlay | 1 mount | 1 mount + 1000? file deletions in the overlay
---------+----------------+-------------------
Container| 1-2 bind mounts | 1000? bind mounts
I left out dev+sys+proc in both cases - it would be a few more mounts
either way.
And there is really no difference in performance between 1 mount and
10 in practice.
--
Rich
