When running unshare command (man 1 unshare), which allows to execute a command in a separate namespace from the shell, why do I still see all processes from the host? Is PID namespace not unshared by design?
Thanks.
Asked
Active
Viewed 425 times
0
Mark
- 6,052
- 8
- 61
- 129
1 Answers
0
unshare unshares only those namespace that you have set via options. Please, also take a special look at --mount-proc option (quote from unshare(1)):
Just before running the program, mount the proc filesystem at mountpoint (default is /proc). This is useful when creating a new PID namespace. It also implies creating a new mount namespace since the /proc mount would otherwise mess up existing programs on the system. The new proc filesystem is explicitly mounted as private (with MS_PRIVATE|MS_REC).
This is important as ps command read pids from /proc fs (see ps(1)):
This ps works by reading the virtual files in /proc.
See also pid_namespaces(7):
After creating a new PID namespace, it is useful for the child to <...> mount a new procfs instance at /proc so that tools such as ps(1) work correctly.
Arks
- 569
- 5
- 19