4

I'm running the golang code on this repo https://github.com/lizrice/containers-from-scratch/blob/master/main.go and I'm having a problem with the mount namespace. What the code should do is creating a process within its own mount namespace. So if I run the code with sudo go run main.go run /bin/bash and I create a file inside the directory mytemp, I should be able to see that file from within the new started process, but if I try to view that file moving to the rootfs directory on the host, I shouldn't be able to see that file thanks to the mount namespace. Unfortunately I still see this file, so it seems that the process I run is not mount namespaced. To run the code, I used this https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz as a rootfs and moved it under /home/me. Then I created a mytemp directory to use as the tmpfs mount target. Do you have any ideas about the reasons why the process doesn't get mount namespaced?

Thanks!

Michy_Arya
  • 43
  • 4

1 Answers1

3

This issue could be solved by configuring the host machine mount to be private which does not receive or forward any propagation events to other mounts, vide RedHat - Sharing Mounts.

This command should be executed on your host machine before your create the container:

$ mount --make-rprivate /
Henrique Gontijo
  • 1,052
  • 2
  • 15
  • 27
  • 2
    Which calls the [`mount`](http://man7.org/linux/man-pages/man2/mount.2.html) syscall with `MS_PRIVATE|MS_REC` flags. This can be done [in Go](https://golang.org/pkg/syscall/#Mount) too. – ephemient Aug 05 '17 at 17:08
  • 1
    That's correct @ephemient, here's one example: `syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, "")` – Henrique Gontijo Aug 06 '17 at 00:06