re-sealing after a usroverlay?

[cgwalters]

(as always, proxying a question asked to me on a private chat)

Say I'm iterating on a fix on an bootc machine. What I would like is to be able to overlay the new bits, and then test them with the bootc restrictions in place. I can overlay the new bits with rpm-ostree usroverlay. Is there an easy way I can lock things back down afterwards to test the changes with these updates, but with the directories set to read-only again. It doesn't need to persist over a reboot. The point is just to quickly iterate on changes.

[cgwalters]

This depends on what you're testing. If you have some code running outside of systemd, then it can work well to do e.g.:

unshare -m
mkdir -p /tmp/rootfs/{upper,work}
mount -t overlay -o upperdir=/tmp/rootfs/upper,workdir=/tmp/rootfs/work,lowerdir=/usr overlay /usr

or so to get a private shell with a temporary overlayfs. This won't affect any other processes.

Alternatively if your code is running as part of a systemd unit, it's possible to do the equivalent there.

There is some support in underlying ostree for ostree admin unlock --transient (not exposed via bootc yet) which mounts the overlay read-only by default.

---

This also relates strongly to #1036 (comment)