Creating a container that uses host's root filesystem as its own

I am creating this topic in General because I don’t see a difference between posting it in LXC and posting it in LXD.

How do I create a container whose root filesystem is set to the host’s root filesystem? I’m interested in using LXC/LXD/whatever to run most of my OS in a more secure environment instead of running a container with an isolated filesystem.

Honestly that does not really make sense.
I am not even sure it would be possible.

You can consider the following alternatives:

  1. Limit your system with apparmor or similar.
  2. Use a container as your main system (you can search for stuff like GUI and audio etc. in the forum).
    You can copy your hosts filesystem into a container (for example by using LXD-p2c).

The reason I’m not using SELinux or AppArmor is that I like the features used by containers better. With cgroups, I can make the root device read-only to confined processes. With seccomp-bpf, I can restrict important system calls such as init_module and mount to particular daemons. With LXC, calls to mount a block device can be redirected so another program that can strip out undesired options can perform the mount instead. I don’t want to use a copy of my root filesystem.

The features that LXC uses (namespaces, cgroups, chroot, seccomp) don’t have to be used with the intention of making a container, so using them in conjunction to create a sandbox that has the same root filesystem as the “host” is not outside their scope. LXC brings all these features together, so that’s why I’m looking to use it for the purpose I described in the first post.

I don’t understand where you see the big difference.

Nothing hinders you to simply run a very light host system, that only host’s your LXD server and then you simply apply most of your harddrive to an LXD storage and then you copy your system (once) in a container and use that as your standard system.

For me it’s very similar to your idea, you only copy things once, that’s it.

  1. I don’t want to double the amount of space taken up, especially if I already have a system that I’ve added software and files to on top of a fresh installation.
  2. If I already have a system that I’ve added software and files to on top of a fresh installation, I don’t to go through the effort of separating the base install from what I’ve added.
  3. I want management of the “host” and management of the “container” to be one and the same.

This would be a great exam question. The answer looks like a Can’t be done, but how do you explain it in a simple way?

My take would be to say that you would be having two systems with a common filesystem, and this filesystem would be modifiable by the other running system. How would you ensure the integrity of the filesystem if it can be modified at will by the other system?