[dividuum]

An alternative to unshare is also bubblewrap (https://github.com/containers/bubblewrap) which also sets up a new namespace. You can build up your own new filesystem by binding existing paths into the new root and then run a process within it:

    $ mkdir -p root/bin
    $ cp /bin/busybox root/bin/
    $ bwrap --bind root / /bin/busybox sh

    BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3.3) built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    / $ ls -l /
    total 0
    drwxrwxr-x    2 1000     1000            60 Jul 22 11:07 bin

[Cloudef]

I used bubblewrap to do a lightweight containers on top of arch + pacman. Basically you could install packages on overlays of the host and do whatever there without affecting the host fs. It was pretty nice.

[stabbles]

So how does this work? Can you mount / as the lower layer of the overlayfs? Doesn't that create a weird recursion because the mountpoint is a path inside /?

[Cloudef]

I used unionfs first to combine the sandbox and / where host / is read-only. Then simply bubblewrap into it. I also mounted / to /host if for some reason you wanted to access host fs from inside the sandbox.

[gigatexal]

Interesting. Going to check out Bubblewrap