[GH-ISSUE #1907] Define specific overlay directory in argument

gitea-mirror commented

2026-05-05 07:46:55 -06:00

Owner

Originally created by @oxwivi on GitHub (Apr 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1907

I want to reuse the overlay directory after I exit from the environment, but while they're saved in the ~/.firejail directory, there doesn't seem to be anyway to make firejail use them next time I run it.

My use case is I want to use it like a container, but based on the existing root of my host system instead of a clean image while a fuck ton of dependencies are downloaded and each container is separately updated every time there are any upgrades available.

In this specific case, I want to install nginx and a web service within the overlay system, though I still haven't figured out how I may persistently run a service within a firejail.

Originally created by @oxwivi on GitHub (Apr 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1907 I want to reuse the overlay directory after I exit from the environment, but while they're saved in the `~/.firejail` directory, there doesn't seem to be anyway to make `firejail` use them next time I run it. My use case is I want to use it like a container, but based on the existing root of my host system instead of a clean image while a fuck ton of dependencies are downloaded and each container is separately updated every time there are any upgrades available. In this specific case, I want to install `nginx` and a web service within the overlay system, though I still haven't figured out how I may persistently run a service within a `firejail`.

gitea-mirror closed this issue

2026-05-05 07:47:03 -06:00

gitea-mirror commented

2026-05-05 07:47:05 -06:00

Author

Owner

@ghost commented on GitHub (Apr 23, 2018):

I'm no expert in any of this but have you looked at --private=directory? It may be what you want.

It basically sets the home directory of the sandbox. So you can use it again and again even after you terminate firejail. Not sure if that is what you want though.

@ghost commented on GitHub (Apr 23, 2018): I'm no expert in any of this but have you looked at `--private=directory`? It may be what you want. It basically sets the home directory of the sandbox. So you can use it again and again even after you terminate `firejail`. Not sure if that is what you want though.

gitea-mirror commented

2026-05-05 07:47:06 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 23, 2018):

@temporaryMan1233, nope that's definitely not it. --private only creates a separate /home, it does not clone the root directory of the system.

Other than that, I've discovered I can't use sudo within a firejail even with --noprfile flag:

$ sudo python install.py --production
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Quite unfortunate.

@oxwivi commented on GitHub (Apr 23, 2018): @temporaryMan1233, nope that's definitely not it. `--private` only creates a separate `/home`, it does not clone the root directory of the system. Other than that, I've discovered I can't use `sudo` within a `firejail` even with `--noprfile` flag: ``` $ sudo python install.py --production sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ``` Quite unfortunate.

gitea-mirror commented

2026-05-05 07:47:07 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Apr 23, 2018):

@oxwivi Possibly because the correct flag is really --noprofile? 😃

$ firejail --noprofile
Parent pid 2984, child pid 2985
Child process initialized in 35.44 ms
[fred@TheUpsideDown ~]$ sudo id
uid=0(root) gid=0(root) groups=0(root)

@Fred-Barclay commented on GitHub (Apr 23, 2018): @oxwivi Possibly because the correct flag is really `--noprofile`? :smiley: ``` $ firejail --noprofile Parent pid 2984, child pid 2985 Child process initialized in 35.44 ms [fred@TheUpsideDown ~]$ sudo id uid=0(root) gid=0(root) groups=0(root)

gitea-mirror commented

2026-05-05 07:47:10 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

Thanks for noticing the typo, but the mistake is only in the comments:

$ firejail --overlay --noprofile
Parent pid 15484, child pid 15485
OverlayFS configured in /home/ontoki/.firejail/15484 directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized in 268.04 ms
$ sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
$ sudo python install.py --production
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

@oxwivi commented on GitHub (Apr 24, 2018): Thanks for noticing the typo, but the mistake is only in the comments: ``` $ firejail --overlay --noprofile Parent pid 15484, child pid 15485 OverlayFS configured in /home/ontoki/.firejail/15484 directory Dropping all Linux capabilities and enforcing default seccomp filter Warning: failed to unmount /sys Child process initialized in 268.04 ms $ sudo id sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? $ sudo python install.py --production sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ```

gitea-mirror commented

2026-05-05 07:47:12 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

It's the same without --overlay; seems like it's a different issue:

$ firejail --noprofile
Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features
$ sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Speaking of which, what's the use case of --noprofile?

@oxwivi commented on GitHub (Apr 24, 2018): It's the same without `--overlay`; seems like it's a different issue: ``` $ firejail --noprofile Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features $ sudo id sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? ``` Speaking of which, what's the use case of `--noprofile`?

gitea-mirror commented

2026-05-05 07:47:13 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

... IDK what happened, but I installed repo version over my compiled version on Ubuntu 16.04 and both ip addr and sudo are working perfectly fine. Now, back to original issue of specifying overlay directory. @netblue30, please.

@oxwivi commented on GitHub (Apr 24, 2018): ... IDK what happened, but I installed repo version over my compiled version on Ubuntu 16.04 and both `ip addr` and `sudo` are working perfectly fine. Now, back to original issue of specifying `overlay` directory. @netblue30, please.

gitea-mirror commented

2026-05-05 07:47:15 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

Fuck me, there's overlay-named, but it's not fucking mentioned in the 16.04 manpages. Fuck my life.

@oxwivi commented on GitHub (Apr 24, 2018): Fuck me, there's `overlay-named`, but it's not fucking mentioned in the 16.04 manpages. Fuck my life.

gitea-mirror commented

2026-05-05 07:47:16 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

May I scream?

$ firejail --noprofile 
Parent pid 22776, child pid 22777
Child process initialized in 13.07 ms
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
$ exit 
exit

Parent is shutting down, bye...
$ firejail --noprofile --overlay-named=erp
Parent pid 22806, child pid 22807
OverlayFS configured in /home/ontoki/.firejail/erp directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized in 9.33 ms
$ sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
$ exit 
exit

Parent is shutting down, bye...
$ firejail --noprofile 
Parent pid 22820, child pid 22821
Child process initialized in 15.35 ms
$ sudo id
uid=0(root) gid=0(root) groups=0(root)

@oxwivi commented on GitHub (Apr 24, 2018): May I scream? ``` $ firejail --noprofile Parent pid 22776, child pid 22777 Child process initialized in 13.07 ms $ sudo id uid=0(root) gid=0(root) groups=0(root) $ exit exit Parent is shutting down, bye... $ firejail --noprofile --overlay-named=erp Parent pid 22806, child pid 22807 OverlayFS configured in /home/ontoki/.firejail/erp directory Dropping all Linux capabilities and enforcing default seccomp filter Warning: failed to unmount /sys Child process initialized in 9.33 ms $ sudo id sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? $ exit exit Parent is shutting down, bye... $ firejail --noprofile Parent pid 22820, child pid 22821 Child process initialized in 15.35 ms $ sudo id uid=0(root) gid=0(root) groups=0(root) ```

gitea-mirror commented

2026-05-05 07:47:17 -06:00

Author

Owner

@oxwivi commented on GitHub (Apr 24, 2018):

I learned only sudo firejail will allow overlay with sudo.

@oxwivi commented on GitHub (Apr 24, 2018): I learned only `sudo firejail` will allow `overlay` with `sudo`.

Rows
Columns

[GH-ISSUE #1907] Define specific overlay directory in argument #1280