Question: Supporting modifications to a read-only rootfs

[maleadt]

trafficstars

(This is more of a question, but I wasn't sure where to post this other than the issue tracker.)

I'm trying to use crun as the back-end for a sandboxing tool that makes it possible to modify a container's root filesystem, optionally persisting the changes into a separate user directory. I'm having some trouble mapping that onto an OCI bundle that works with `crun.

First of all, as per the spec the root key is mandatory, but since I don't actually want to mutate the sources of the rootfs I'm setting readonly=true.

I figured I could then (kind of redundantly) mount the root again, but now using an overlay mount to persist the changes:

"root": {
    "path": "/rootfs",
    "readonly": true
},
"mounts": [
    {
        "destination": "/",
        "type": "overlay",
        "options": [
            "lowerdir=/rootfs",
            "upperdir=/overlay/upper",
            "workdir=/overlay/work",
            "userxattr"
        ]
    },
]

crun doesn't accept that, however. Well, more specifically the overlay mount fails with EINVAL.

Looking at a bundle generated by Docker, which supports this, the root is actually writable and pointing to e.g. a btrfs subvolume. I would like to avoid that, because it requires the caller to set-up an overlay-like mechanism to make the root writable, while I'd prefer crun to handle all that (with the added benefit of easy clean-up when the container exits). Is this possible, or outside of the scope of crun? Any other suggestions would be appreciated as well!