容器和syscall.CLONE_NEWNS [英] Containers and syscall.CLONE_NEWNS
问题描述
我正在此仓库上运行golang代码 https ://github.com/lizrice/containers-from-scratch/blob/master/main.go ,而我的mount名称空间有问题。代码应该做的是在其自己的安装命名空间中创建一个进程。因此,如果我使用 sudo运行代码,请运行main.go运行/ bin / bash
,然后在目录 mytemp $ c中创建一个文件$ c>,我应该能够从新启动的进程中看到该文件,但是如果我尝试查看该文件移至主机上的rootfs目录,则由于挂载,我将无法看到该文件命名空间。
不幸的是,我仍然看到此文件,因此看来我运行的进程未装入命名空间。
为了运行代码,我使用了 https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz 作为rootfs,并将其移至下/ home / me
。然后,我创建了一个 mytemp
目录用作tmpfs挂载目标。
您是否对进程未获得命名空间的原因有任何想法?
I'm running the golang code on this repo https://github.com/lizrice/containers-from-scratch/blob/master/main.go and I'm having a problem with the mount namespace. What the code should do is creating a process within its own mount namespace. So if I run the code with sudo go run main.go run /bin/bash
and I create a file inside the directory mytemp
, I should be able to see that file from within the new started process, but if I try to view that file moving to the rootfs directory on the host, I shouldn't be able to see that file thanks to the mount namespace.
Unfortunately I still see this file, so it seems that the process I run is not mount namespaced.
To run the code, I used this https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz as a rootfs and moved it under /home/me
. Then I created a mytemp
directory to use as the tmpfs mount target.
Do you have any ideas about the reasons why the process doesn't get mount namespaced?
谢谢!
推荐答案
可以通过将主机挂载配置为私有来解决此问题,该主机不接收或转发任何传播事件到其他挂载,<< a href = https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/sect-Using_the_mount_Command-Mounting-Bind.html rel = nofollow noreferrer> RedHat-共享安装。
This issue could be solved by configuring the host machine mount to be private which does not receive or forward any propagation events to other mounts, vide RedHat - Sharing Mounts.
在创建容器之前,应在主机上执行以下命令:
This command should be executed on your host machine before your create the container:
$ mount --make-rprivate /
这篇关于容器和syscall.CLONE_NEWNS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!