unshare -m 未创建挂载命名空间

Question 1

要么是 unshare(1) 坏了，要么就是我太蠢了。

我修改了代码http://crosbymichael.com/creating-containers-part-1.html所以它对我来说确实有效。必须使用来延迟卸载 /proc umount2，并使用linux/sched.h而不是sched.h。

要编译，请执行以下操作gcc foo.c -ofoo。

您会注意到，运行后，./foo ls /proc主机系统上的 /proc 不会被清除。

//
// This compiles and works on Amazon Linux 2016.03 (kernel 4.4.5-15.26.amzn1.x86_64)
//

#include <stdio.h>
#include <stdlib.h>
// was <sched.h>, but wouldn't compile on Amazon Linux
#include <linux/sched.h>
// for umount2()
#include <sys/mount.h>
#include <sys/wait.h>
#include <errno.h>

#define STACKSIZE (1024*1024)
static char child_stack[STACKSIZE];

struct clone_args {
        char **argv;
};

static int child_exec(void *stuff) {
        struct clone_args *args = (struct clone_args *)stuff;

        // the fprintf()s crash. Not sure why.

        // changed from umount(), lazy umount succeeds
        if (umount2("/proc", MNT_DETACH) != 0) {
                fprintf(stderr, "failed to unmount /proc: %s\n", strerror(errno));
                exit(-1);
        }

        if (mount("proc", "/proc", "proc", 0, "") != 0) {
                fprintf(stderr, "failed to mount /proc: %s\n", strerror(errno));
                exit(-1);
        }

        if (execvp(args->argv[0], args->argv) != 0) {
                fprintf(stderr, "failed to execvp arguments: %s\n", strerror(errno));
                exit(-1);
        }

        // unreachable
        exit(EXIT_FAILURE);
}

int main(int argc, char **argv) {
        struct clone_args args;
        args.argv = &argv[1];

        int clone_flags = CLONE_NEWPID | CLONE_NEWNS | SIGCHLD;
        pid_t pid = clone(child_exec, child_stack + STACKSIZE, clone_flags, &args);

        if (pid < 0) {
                fprintf(stderr, "clone failed: %s\n", strerror(errno));
                exit(EXIT_FAILURE);
        }

        if (waitpid(pid, NULL, 0) == -1) {
                fprintf(stderr, "failed to wait pid %d\n", pid);
                exit(EXIT_FAILURE);
        }

        exit(EXIT_SUCCESS);
}

Answer

要么是 unshare(1) 坏了，要么就是我太蠢了。

我修改了代码http://crosbymichael.com/creating-containers-part-1.html所以它对我来说确实有效。必须使用来延迟卸载 /proc umount2，并使用linux/sched.h而不是sched.h。

要编译，请执行以下操作gcc foo.c -ofoo。

您会注意到，运行后，./foo ls /proc主机系统上的 /proc 不会被清除。

//
// This compiles and works on Amazon Linux 2016.03 (kernel 4.4.5-15.26.amzn1.x86_64)
//

#include <stdio.h>
#include <stdlib.h>
// was <sched.h>, but wouldn't compile on Amazon Linux
#include <linux/sched.h>
// for umount2()
#include <sys/mount.h>
#include <sys/wait.h>
#include <errno.h>

#define STACKSIZE (1024*1024)
static char child_stack[STACKSIZE];

struct clone_args {
        char **argv;
};

static int child_exec(void *stuff) {
        struct clone_args *args = (struct clone_args *)stuff;

        // the fprintf()s crash. Not sure why.

        // changed from umount(), lazy umount succeeds
        if (umount2("/proc", MNT_DETACH) != 0) {
                fprintf(stderr, "failed to unmount /proc: %s\n", strerror(errno));
                exit(-1);
        }

        if (mount("proc", "/proc", "proc", 0, "") != 0) {
                fprintf(stderr, "failed to mount /proc: %s\n", strerror(errno));
                exit(-1);
        }

        if (execvp(args->argv[0], args->argv) != 0) {
                fprintf(stderr, "failed to execvp arguments: %s\n", strerror(errno));
                exit(-1);
        }

        // unreachable
        exit(EXIT_FAILURE);
}

int main(int argc, char **argv) {
        struct clone_args args;
        args.argv = &argv[1];

        int clone_flags = CLONE_NEWPID | CLONE_NEWNS | SIGCHLD;
        pid_t pid = clone(child_exec, child_stack + STACKSIZE, clone_flags, &args);

        if (pid < 0) {
                fprintf(stderr, "clone failed: %s\n", strerror(errno));
                exit(EXIT_FAILURE);
        }

        if (waitpid(pid, NULL, 0) == -1) {
                fprintf(stderr, "failed to wait pid %d\n", pid);
                exit(EXIT_FAILURE);
        }

        exit(EXIT_SUCCESS);
}

Question 2

挂载传播已启用（可能是由 systemd 启用），而您使用的旧版本确实unshare会改变传播状态，因此新挂载命名空间中的所有挂载操作都会反映在原始命名空间中。

Answer

挂载传播已启用（可能是由 systemd 启用），而您使用的旧版本确实unshare会改变传播状态，因此新挂载命名空间中的所有挂载操作都会反映在原始命名空间中。

unshare -m 未创建挂载命名空间

答案1

答案2

相关内容