On Mon April 13 2009, Xavier Pijuan wrote: > > Hello, > I have been trying to use the auroot.sh script to sandbox an application, but > it doesn't seem to work. I have tried to make it manually, but it seems > impossible, because aufs keeps compaining about overlappings. > > The problem is that, in this case, mounting "/" and /tmp/rw in /tmp/jail > would cause an infinite loop in /tmp/jail/tmp/jail/tmp..., so aufs refuses to > do it. This seems reasonable, but I think there are other ways to solve it. > For example, I think the best option would be an "-o overlap=exclude" or > similar option, which would simply exclude the problematic directories from > the resulting filesystem. In that case: > > > # mount -t aufs -o br:/tmp/rw:/ aufs /tmp/jail > > mount: wrong fs type, bad option, bad superblock on aufs, > missing codepage or helper program, or other error > (for several filesystems (e.g. nfs, cifs) you might > need a /sbin/mount.<type> helper program) > In some cases useful info is found in syslog - try > dmesg | tail or so > # dmesg | tail > > [42693.099394] aufs test_add:393:mount[1859]: / is overlapped > > # mount -t aufs -o overlap=exclude,br:/tmp/rw:/ aufs /tmp/jail > > # ls /tmp/jail > bin cdrom etc lib media opt srv tmp var vmlinuz.old boot dev > home initrd.img lost+found mnt proc sbin sys usr vmlinuz > > # ls /tmp/jail/tmp/jail > (empty) > # ... > > > > As you can see, instead of an infinite loop we have an empty directory. That > would be easy to code and very useful (at least to me). Until then I will > have to find some workaround. >
Wrong tool. Sounds like you want Linux-VServer, not auFS - - That way you can 'jail' anything from a single application to an entire Linux distribution. It also supports immutable links with CoW breaking - allowing you to have whatever you want on the 'main' file system visible in the 'jail context' and the only things present will be the changed files. Ref: http://linux-vserver.org/Welcome_to_Linux-VServer.org You can use the 'experimental' link or the table on that page, or: http://vserver.13thfloor.at/Experimental/ and page-down (a lot) - the newest stuff is at the bottom of page. Don't be put off by the word 'Experimental' - - Their idea of 'Experimental' puts some projects idea of 'Stable-Mature' to shame. ;) Mike > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > High Quality Requirements in a Collaborative Environment. > Download a free trial of Rational Requirements Composer Now! > http://p.sf.net/sfu/www-ibm-com > > ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
