|
|
|
|
|
|
by d3Xt3r
398 days ago
|
|
|
I wonder if this could also be used on immutable distros as a way to make temporary or even semi-permanent changes, like installing a system-level app such as a VPN (I ask because the built-in layering solution on distros like Fedora Atomic isn't ideal). Assuming there is a use case for immutables, what I don't understand is the "sync" business - if the overlay sits on top of the host and sees the host's files, why does it need to "sync" exactly? So say I have an app installed in the sandbox, and I upgraded the OS to the latest edition—what would be the behaviour in the sandbox, and what's the best solution for that? Like, do I need to even run a sync in the first place, if I rebooted the machine? What does the sync do exactly in this instance? And I'm guessing any changes made inside the sandbox would get overridden? Say the app modified /etc/resolv.conf in the sandbox, would a sync override that file? Would the best solution be to reinstall the app(s) in the sandbox, or delete and recreate the sandbox and then reinstall everything inside? Probably best do this on every boot then I suppose, via a script or something? |
|
|
I've used it on my own machine to test upgrades and whatnot, typically it just works, so it might very well be useful for the use case you're thinking of.
> like installing a system-level app such as a VPN
At present there's a flag `--net` which when set to `--net=none` it creates a new networking namespace for the sandbox without doing any additional things to configure the network within the sandbox, so its a simple way to block traffic. I think creating a new namespace but then following it up with setting it up with whatever VPN stuff you wanted would work quite well to create a sandbox that strictly used a particular VPN configuration.
> if the overlay sits on top of the host and sees the host's files, why does it need to "sync" exactly
OverlayFS sometimes caches read results from the "lower" file system, so often it'll just work as you expect, but sometimes reads will be stale. The sync action just flushes all changes to disk and clears the read cache to work around that problem. You definitely don't need to run a sync if you've just rebooted. Additionally any changes made in the upper fs (the sandboxed view) will remain, sync is non destructive in nature.