Tuesday, April 14, 2015

persistent namespaces

Today I merged support for persistent namespaces to unshare(1). The persistent namespace does not require any running process with in the namespace and it's possible to enter the namespace by nsenter(1).

For example let's create a new UTS namespace and set a different hostname within the namespace:
  # hostname
  ws
  # touch /root/ns-uts         
  # unshare --uts=/root/ns-uts
  # hostname FooBar
  # exit
Now there is no process in the namespace, try to enter the namespace by --uts=/root/ns-uts reference:
  # nsenter --uts=/root/ns-uts
  # hostname
  FooBar 
  # exit
The reference to the namespace is bind mount to /proc/[pid]/ns/[type], so umount(8) is enough to remove the reference:
  # umount /root/ns-uts
If there is no another reference or any running process within the namespace then the namesapce is destoyed.

It's also possible to create another types of the persistent namespaces (--net, --ipc, ...). Don't forget that if you want to create a persistent mount namespace than the file (--mount=file) has to be on "private" filesystem, for example on Fedora where all is "shared" you have to use:

  # mount --bind /mnt/test /mnt/test
  # mount --make-rprivate /mnt/test
  # touch /mnt/test/my-ns
  # unshare --mount=/mnt/test/my-ns
  ...
Note that PID namespace cannot be without a running process (or more precisely the PID namespace is dead thing after init process (PID 1) termination).

4 comments:

  1. aceqJune 17, 2020 at 11:15 PM

    useful. thanks

    ReplyDelete
  2. AnonymousJuly 3, 2020 at 8:19 AM

    Sadly, persistence does not happen. If the "main" unshare process exited, the mount namespace mounts are lost in subsequent nsenter. Tested on mount and uid namespace combination and procfs or tmpfs.

    ReplyDelete
  3. Binladin64July 3, 2020 at 8:27 AM

    Sadly, persistence does not happen. If the "main" unshare process exited, the mount namespace mounts are absent in subsequent nsenter. Tested on mount, pid, and uid namespace combination with procfs and/or tmpfs.
    Moreover, `nsenter --mount=$PID mount -t proc ...` provides different result from `mount --ns=$PID -t proc ...`, while the later mistakenly shows the parent pid namespace.

    ReplyDelete
  4. UnknownSeptember 27, 2021 at 4:34 AM

    Thank you Karel. Your simple documentation was plenty sufficient. I am pleased with the feature and it seems to work fine.

    It was an odd thing. I simply wanted to mount a volume without everyone on the system being able to see it. I ended up buried in namespaces, an overly complicated tool for this task. Despite its complexity, it was insufficient without this enhancement.

    And so I thank you.

    ReplyDelete

Subscribe to: Post Comments (Atom)