diff options
author | Colin Walters <walters@verbum.org> | 2016-12-07 16:13:56 -0500 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2016-12-12 15:02:37 +0000 |
commit | 3a5c70198823e51210fde89fe897232fb1619488 (patch) | |
tree | 28ff9a4b880f3cd2a74795572bb415a24473a1f9 /README.md | |
parent | a18875346d0778703088960f844a2c86739f4b55 (diff) | |
download | bubblewrap-3a5c70198823e51210fde89fe897232fb1619488.tar.gz |
README.md: Update with better one liner and more information
The `ro-bind /` thing was ill advised.
Closes: https://github.com/projectatomic/bubblewrap/issues/125
Closes: #127
Approved by: alexlarsson
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 37 |
1 files changed, 9 insertions, 28 deletions
@@ -71,38 +71,19 @@ exits. You can then use commandline options to construct the root filesystem and process environment and command to run in the namespace. -A simple example is -``` -bwrap --ro-bind / / bash -``` -This will create a read-only bind mount of the host root at the -sandbox root, and then start a bash. +There's a larger [demo script](./demos/bubblewrap-shell.sh) in the +source code, but here's a trimmed down version which runs +a new shell reusing the host's `/usr`. -Another simple example would be a read-write chroot operation: ``` -bwrap --bind /some/chroot/dir / bash +bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --proc /proc --dev /dev --unshare-pid bash ``` -A more complex example is to run a with a custom (readonly) /usr, -but your own (tmpfs) data, running in a PID and network namespace: - -``` -bwrap --ro-bind /usr /usr \ - --tmpfs /tmp \ - --proc /proc \ - --dev /dev \ - --ro-bind /etc/resolv.conf /etc/resolv.conf \ - --symlink usr/lib /lib \ - --symlink usr/lib64 /lib64 \ - --symlink usr/bin /bin \ - --symlink usr/sbin /sbin \ - --chdir / \ - --unshare-pid \ - --unshare-net \ - --dir /run/user/$(id -u) \ - --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ - /bin/sh -``` +This is an incomplete example, but useful for purposes of +illustration. More often, rather than creating a container using the +host's filesystem tree, you want to target a chroot. There, rather +than creating the symlink `lib64 -> usr/lib64` in the tmpfs, you might +have already created it in the target rootfs. Sandboxing ---------- |