We'd like to basically capture and record the filesystem state of the sandboxee (merged view of upper and lower layer, or just the upper layer contents).

You want to capture the rootfs overlay's upper layer contents? Or are you talking about checkpoint/restore with gVisor (which should already work with all modes of --overlay2 flag)?

Aiming to do the former, but at the same time need to use overlay2 because we're trying to run docker inside gvisor and docker doesn't appear work inside gVisor with --overlay2=none due to failed to register layer: operation not permitted when trying to pull certain images, which I think is due to restrictions of the 9p filesystem? (e.g., docker pull bitnami/redis:7.0 which doesn't work when root filesystem shows 9p, but works when it shows overlay)

We currently don't have a way to extract just the rootfs upper layer from the checkpoint image generated by runsc checkpoint. I am (co-incidentally) working on extracting the rootfs upper layer as a TAR file. Would you be interested in that? We could add some API in runsc to invoke that functionality.

Would be interested in that!

Originally posted by @xpbowler in #11892