From 3a5c70198823e51210fde89fe897232fb1619488 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 7 Dec 2016 16:13:56 -0500 Subject: README.md: Update with better one liner and more information The `ro-bind /` thing was ill advised. Closes: https://github.com/projectatomic/bubblewrap/issues/125 Closes: #127 Approved by: alexlarsson --- README.md | 37 +++++++++---------------------------- 1 file changed, 9 insertions(+), 28 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index e299b91..63dae63 100644 --- a/README.md +++ b/README.md @@ -71,38 +71,19 @@ exits. You can then use commandline options to construct the root filesystem and process environment and command to run in the namespace. -A simple example is -``` -bwrap --ro-bind / / bash -``` -This will create a read-only bind mount of the host root at the -sandbox root, and then start a bash. +There's a larger [demo script](./demos/bubblewrap-shell.sh) in the +source code, but here's a trimmed down version which runs +a new shell reusing the host's `/usr`. -Another simple example would be a read-write chroot operation: ``` -bwrap --bind /some/chroot/dir / bash +bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --proc /proc --dev /dev --unshare-pid bash ``` -A more complex example is to run a with a custom (readonly) /usr, -but your own (tmpfs) data, running in a PID and network namespace: - -``` -bwrap --ro-bind /usr /usr \ - --tmpfs /tmp \ - --proc /proc \ - --dev /dev \ - --ro-bind /etc/resolv.conf /etc/resolv.conf \ - --symlink usr/lib /lib \ - --symlink usr/lib64 /lib64 \ - --symlink usr/bin /bin \ - --symlink usr/sbin /sbin \ - --chdir / \ - --unshare-pid \ - --unshare-net \ - --dir /run/user/$(id -u) \ - --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ - /bin/sh -``` +This is an incomplete example, but useful for purposes of +illustration. More often, rather than creating a container using the +host's filesystem tree, you want to target a chroot. There, rather +than creating the symlink `lib64 -> usr/lib64` in the tmpfs, you might +have already created it in the target rootfs. Sandboxing ---------- -- cgit v1.2.1