英文:
Containers and syscall.CLONE_NEWNS
问题
我正在运行这个仓库中的golang代码https://github.com/lizrice/containers-from-scratch/blob/master/main.go,我在mount namespace方面遇到了问题。代码应该创建一个在其自己的mount namespace中的进程。所以如果我用sudo go run main.go run /bin/bash运行代码,并在目录mytemp中创建一个文件,我应该能够从新启动的进程中看到该文件,但如果我尝试在主机上的rootfs目录中查看该文件,我不应该能够看到该文件,这是由于mount namespace的原因。
不幸的是,我仍然能看到这个文件,所以看起来我运行的进程没有使用mount namespace。
为了运行代码,我使用了这个https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz作为rootfs,并将其移动到/home/me下。然后我创建了一个mytemp目录作为tmpfs的挂载目标。
你有关于进程为什么没有使用mount namespace的原因的任何想法吗?
谢谢!
英文:
I'm running the golang code on this repo https://github.com/lizrice/containers-from-scratch/blob/master/main.go and I'm having a problem with the mount namespace. What the code should do is creating a process within its own mount namespace. So if I run the code with sudo go run main.go run /bin/bash and I create a file inside the directory mytemp, I should be able to see that file from within the new started process, but if I try to view that file moving to the rootfs directory on the host, I shouldn't be able to see that file thanks to the mount namespace.
Unfortunately I still see this file, so it seems that the process I run is not mount namespaced.
To run the code, I used this https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz as a rootfs and moved it under /home/me. Then I created a mytemp directory to use as the tmpfs mount target.
Do you have any ideas about the reasons why the process doesn't get mount namespaced?
Thanks!
答案1
得分: 3
这个问题可以通过将主机机器的挂载配置为私有来解决,这样就不会将任何传播事件发送或转发给其他挂载点。请在创建容器之前在主机机器上执行以下命令:
$ mount --make-rprivate /
英文:
This issue could be solved by configuring the host machine mount to be private which does not receive or forward any propagation events to other mounts, vide RedHat - Sharing Mounts.
This command should be executed on your host machine before your create the container:
$ mount --make-rprivate /
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论