[lxc-users] lxc-execute with read-only rootfs

[Serge Hallyn]

Quoting Antonin Bas (antoninb at stanford.edu):
> Hi Stephane,
> 
> Thanks for following-up with me. I actually have one last question.
> Because I also have to compile students' codes and would like to do it
> within the container, a read-only rootfs won't do the trick. I am

An ephemeral container will work fine, but you also might want to just
bind mount a directory (or loopback file) into place where you want to
do the compilation, i.e. /opt/build or something.

> thinking of using an overlayfs as suggested by Cal and as is done with
> ephemeral containers. Do you know what's the best way of setting up a
> size quota for the oupperdir in ubuntu? Also, I read somewhere that
> for ephemeral containers, the upperdir changes where stored in memory.

overlayfs doesn't have such an option (at least I didn't see it in
fs/overlayfs/super.c).  You could simply use a loopback file or LVM lV
of the max size for the read-write layer.

> But I did not see anything special when I looked at the
> lxc-start-ephemeral python source code. All I see is a call to
> tempfile.mkdtemp to create the temporary directory for the upperdir.
> Am I missing something?

Note other possibilities are to use snapshot clones using either btrfs
or LVM.  LVM will let you specify a max size for the clone, and I
suspect you can specify a subvolume size in btrfs (but don't know
offhand how)

-serge