Understanding unshare CLONE_NEWNS Behavior

Question

Understanding unshare CLONE_NEWNS Behavior

I wrote a small C program that simply does unshare (CLONE_NEWNS), followed by a system ("bash").

The man page says that the process must have its own namespace. So, in the shell, I tried unmount / cgroup (cgroup is mounted on the source machine).

When I mount in a shell on a machine, / cgroup is also unmounted. Am I missing something? I thought CLONE_NEWNS should let me disconnect the file system from the process without affecting the main system.

+3

namespaces kernel

i0exception Jun 06 '11 at 10:19

source share

4 answers

caf · Answer 1 · 2011-06-08T12:54:50+0000

(Aside, you did not need to write a program - you could just use the utility unshare(1)).

- , mount /etc/mtab , , mount . , /etc/mtab , ( /etc/mtab, ).

/proc/mounts , , .

mtk · Answer 2 · 2016-06-30T03:54:00+0000

- , mount/cgroup (../) "" , ( /) . , /mount /proc/self/mountinfo. , , systemd, "private" "shared". "private", /

mount --make-private /

. https://bbs.archlinux.org/viewtopic.php?id=194388, https://lwn.net/Articles/689856/

c4f4t0r · Answer 3 · 2013-08-05T15:24:44+0000

unshare fedora 19 3.10

unshare --mount/bin/bash

df -h/boot/

%

/dev/sda1 485M 238M 222M 52%/boot

umount/boot/

grep boot/proc/mounts

echo $?

1

Maybe I'm something wrong, but the result is what I expected

Kennan · Answer 4 · 2015-12-07T02:52:15+0000

Opaque works in Fedora, not ubuntu, and at the same time, if you try to just CLONE_NEWNS, it cannot work, it seems not quite the same as a direct call

clone (child_main, child_stack + STACK_SIZE, CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL);

this call, namespace operations can be seen from another namespace

Understanding unshare CLONE_NEWNS Behavior

More articles: