Creating a self healing /home/student envirenoment using overlayfs

In a school environment various students have to accomplish different tasks on the same computer every day. So one of the challanges is, to give each student using a computer the same tools, look and feel, and setup. There are several different approaches to that. Using overlayfs is the one we are using to achieve that.

First of all what is overlayfs?

Quoting from the documentation "An overlay-filesystem tries to present a filesystem which is the result over overlaying one filesystem on top of the other."

An overlayfs consists of a lowerdir and an upperdir.
The lowerdir is reflected in the upperdir, so when accessing the upperdir you see everything that is in the lowerdir as well. When you change a file in the upperdir it is not propagated down to the lowerdir, so the lowerdir always stays clean.

This picture illustrates our use case.

So we have a regular /home/student directory which is created and is set up accordingly. The /home/.student-rw folder is actually empty and just protects the default /home/student installation.

Whenever we boot our system, we need to make sure that the /home/.student-rw directory sits above the /home/student directory. It only takes an entry in /etc/fstab to do so

none /home/student overlayfs lowerdir=/home/student,upperdir=/home/.student-rw 0 0

The cool part about the line above is, that my mount point actually is /home/student.
So i take /home/student put my overlay above that and mount that into /home/student, which as of now is protected by stacking another filesystem above it.


Ok, this is part one. I protect /home/student. Part two makes sure that all the changes that a student made are wiped out on certain occasions. These occasions are
- reboot and logout

i created a script (in /usr/local/bin/cleanstudentdir.sh) that does that:
#!/bin/bash
cd /home/.student-rw && find . -maxdepth 1 -mindepth 1 -print0 |xargs -0 rm -rf
mount -o remount /home/student
#remount is necessary to re-read the filesystem


i call that script in the lightdm.conf on
session-setup-script and session-cleanup-script
so add these lines to /etc/lightdm/lightdm.conf
session-setup-scrupt=/usr/local/bin/cleanstudentdir.sh
session-cleanup-scrupt=/usr/local/bin/cleanstudentdir.sh


With the above setup all students get the exact same environment. And I do not care if they change any of their settings, because they will be gone after a reboot anyways.

Last thing that we need to explain. How can we make changes to /home/student that survive a reboot. Well, that's fairly easy.
Before logging in as a student I execute "sudo unmount /home/student" from the console, which just removes the overlay. Now I log in as a student and can do any changes that I want to persist. Logging out and adding the overlay using "sudo mount -t overlayfs overlayfs -olowerdir=/home/student,upperdir=/home/.student-rw /home/student" or a reboot is enough to protect /home/student again.


Further reading
https://git.kernel.org/cgit/linux/kernel/git/mszeredi/vfs.git/tree/Documentation/filesystems/overlayfs.txt?h=overlayfs.current