容器和syscall.CLONE_NEWNS [英] Containers and syscall.CLONE_NEWNS

问题描述

我正在此仓库上运行golang代码 https ：//github.com/lizrice/containers-from-scratch/blob/master/main.go ，而我的mount名称空间有问题。代码应该做的是在其自己的安装命名空间中创建一个进程。因此，如果我使用 sudo运行代码，请运行main.go运行/ bin / bash ，然后在目录 mytemp ，我应该能够从新启动的进程中看到该文件，但是如果我尝试查看该文件移至主机上的rootfs目录，则由于挂载，我将无法看到该文件命名空间。
不幸的是，我仍然看到此文件，因此看来我运行的进程未装入命名空间。
为了运行代码，我使用了 https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz 作为rootfs，并将其移至下/ home / me 。然后，我创建了一个 mytemp 目录用作tmpfs挂载目标。
您是否对进程未获得命名空间的原因有任何想法？

I'm running the golang code on this repo https://github.com/lizrice/containers-from-scratch/blob/master/main.go and I'm having a problem with the mount namespace. What the code should do is creating a process within its own mount namespace. So if I run the code with sudo go run main.go run /bin/bash and I create a file inside the directory mytemp, I should be able to see that file from within the new started process, but if I try to view that file moving to the rootfs directory on the host, I shouldn't be able to see that file thanks to the mount namespace. Unfortunately I still see this file, so it seems that the process I run is not mount namespaced. To run the code, I used this https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz as a rootfs and moved it under /home/me. Then I created a mytemp directory to use as the tmpfs mount target. Do you have any ideas about the reasons why the process doesn't get mount namespaced?

谢谢！

推荐答案

可以通过将主机挂载配置为私有来解决此问题，该主机不接收或转发任何传播事件到其他挂载，<< a href = https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/sect-Using_the_mount_Command-Mounting-Bind.html rel = nofollow noreferrer> RedHat-共享安装。

This issue could be solved by configuring the host machine mount to be private which does not receive or forward any propagation events to other mounts, vide RedHat - Sharing Mounts.

在创建容器之前，应在主机上执行以下命令：

This command should be executed on your host machine before your create the container:

$ mount --make-rprivate /

这篇关于容器和syscall.CLONE_NEWNS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！