Many commands fail in the VM since the root filesystem is mounted read-only. For example, running go build inside the VM fails since the build cache can't be changed.
Rather than trying to track down every single case, use an ephemeral root filesystem inside the VM. Basically it behaves like a container, except that there is no way to persist the state.
There is one big risk here: an unsuspecting user might generate lots of changes to the root and run out of memory. To prevent this we limit the size of the ephemeral root to 25% of total RAM. After this limit is reached various syscalls will return ENOSPC. This is a lot easier to debug than random oomkills.
Many commands fail in the VM since the root filesystem is mounted read-only. For example, running go build inside the VM fails since the build cache can't be changed.
Rather than trying to track down every single case, use an ephemeral root filesystem inside the VM. Basically it behaves like a container, except that there is no way to persist the state.
There is one big risk here: an unsuspecting user might generate lots of changes to the root and run out of memory. To prevent this we limit the size of the ephemeral root to 25% of total RAM. After this limit is reached various syscalls will return ENOSPC. This is a lot easier to debug than random oomkills.