search

binpash / try

Inspect a command's effects before modifying your live system
MIT License
5.21k stars 68 forks source link

docker support #136

Closed ezrizhu closed 8 months ago

ezrizhu commented 1 year ago

Currently try will not work in docker containers, as they’re backed by overlayfs already (by docker default).

Stackoverflow has a solution to this, which works.

mkdir /tmp/overlay
mkdir /tmp/{low,merged}
mount -t tmpfs tmpfs /tmp/overlay
mkdir /tmp/overlay/{up,work}
mount -t overlay overlay -o lowerdir=/tmp/low/,upperdir=/tmp/overlay/up/,workdir=/tmp/overlay/work/ /tmp/merged/

Essentially, the directory that both upperdir and workdir resides in has to be tmpfs. Note that making just the upperdir and workdir tmpfs is not sufficient.

We can modify try to leverage this to enable support for docker.

This is trivial to do if we only care about running this try as root. We can simply run mount -t tmpfs tmpfs “$SANDBOX_DIR” after mktemp -ding it.

However, if we want to do this as a user (in docker containers), this becomes tricky, as we will have to make the tmpfs in unshare, which is also do-able, i was able to make a proof of concept to do this. However, that tmpfs will disappear after we exit the unshare, so we will have to find a way to persist it. This will require some considerable refactoring.

ezrizhu commented 1 year ago

As indicated earlier in #19, we are not planning on implementing this right now. This issue is just for documentation purposes.

I’ll close this as won’t fix, until maybe someday we want to address this.

ezrizhu commented 11 months ago

For now, to use try in docker, one can do the following to make a sandbox in a tempfs, then have try use that sandbox.

mkdir sb
mount -t tmpfs tmpfs sb
./try -D sb <command here>