> Something I'm still not sure about is what would happen if you made a
> symlink, bind mount, etc. in upperdir with the same name as an unrelated
> file in lowerdir. This is worth checking out.
just tried a symlink and it didn't seem to affect the host directory
(/opt/cisco) which was symlinked to /tmp/upper/cisco in the container to
begin with.
> > It looks like no, since
> >
> > root@w1:/tmp# mount -t overlay -o lowerdir=lower,upperdir=upper,workdir=workdir overlay /mnt
> > root@w1:/tmp# ls /mnt
> > cisco
> > root@w1:/tmp# rmdir /mnt/cisco
> > rmdir: failed to remove ‘/mnt/cisco’: Read-only file system
> > root@w1:/tmp# mv /mnt/cisco /mnt/c2
> > mv: cannot move ‘/mnt/cisco’ to ‘/mnt/c2’: Read-only file system
> >
> > (here w1 is a unpriv container with /hostopt a bind mount of /opt on the
> > host; cisco a directory both in host's /opt and in /tmp/lowerdir)
>
> I think I'm missing something here. I don't know why your mount is
> read-only.
Because a directory in workdir is owned by uid -1 (root on the host).
> But even if it wasn't, cisco is in lowerdir and thus should
> never be modified or removed in any case. Removing it in /mnt should (I
Right, but I was trying to use workdir as a vector to make changes to
something in the host's opt. Not lowerdir.
> Something I'm still not sure about is what would happen if you made a
> symlink, bind mount, etc. in upperdir with the same name as an unrelated
> file in lowerdir. This is worth checking out.
just tried a symlink and it didn't seem to affect the host directory
(/opt/cisco) which was symlinked to /tmp/upper/cisco in the container to
begin with.
> > It looks like no, since lower,upperdir= upper,workdir= workdir overlay /mnt
> >
> > root@w1:/tmp# mount -t overlay -o lowerdir=
> > root@w1:/tmp# ls /mnt
> > cisco
> > root@w1:/tmp# rmdir /mnt/cisco
> > rmdir: failed to remove ‘/mnt/cisco’: Read-only file system
> > root@w1:/tmp# mv /mnt/cisco /mnt/c2
> > mv: cannot move ‘/mnt/cisco’ to ‘/mnt/c2’: Read-only file system
> >
> > (here w1 is a unpriv container with /hostopt a bind mount of /opt on the
> > host; cisco a directory both in host's /opt and in /tmp/lowerdir)
>
> I think I'm missing something here. I don't know why your mount is
> read-only.
Because a directory in workdir is owned by uid -1 (root on the host).
> But even if it wasn't, cisco is in lowerdir and thus should
> never be modified or removed in any case. Removing it in /mnt should (I
Right, but I was trying to use workdir as a vector to make changes to
something in the host's opt. Not lowerdir.