You are not logged in.
Hello everyone,
I've been trying to follow this blog to work with per process mount namespaces : http://blog.endpoint.com/2012/01/linux- … ivate.html
I did all the steps written in there:
1) Created a separate mount namespace for a new bash process using 'unshare -m /bin/bash'
2) Creating a directory under /tmp to mount a new private tmpfs.
3) Mount a new tmpfs on that directory
4) Create new files in that directory
Now, according to this guide, the files should not be present outside this process's namespace, so if you open a new bash terminal, the files should not be visible. But that doesn't seem to be the case :
sudo unshare -m /bin/bash
[sudo] password for ronnie:
[root@ArchBook ronnie]# mount -t tmpfs tmpfs `mktemp -d --tmpdir=/tmp`
[root@ArchBook ronnie]# ls /tmp/
fcitx-socket-:0 kde-ronnieEJoKgL sddm-:0-kQDmNq tmp.TfgQ6jS2ei xauth-997-_0
flashgot.rvvk040e.default mpd.fifo sddm-auth7a584aa6-f83d-4c48-99a2-f9dac11b4c66 xauth-1000-_0
[root@ArchBook ronnie]# ls /tmp/tmp.TfgQ6jS2ei/
[root@ArchBook ronnie]# touch /tmp/tmp.TfgQ6jS2ei/{a,b,c,d,e}
[root@ArchBook ronnie]# ls /tmp/tmp.TfgQ6jS2ei/
a b c d eIf I check the same directory from another bash process, I get the same files
ronnie@ArchBook : [/dev/pts/3]-[~]
$ ls /tmp/tmp.TfgQ6jS2ei/
a b c d eAccording to this StackExchange answer : https://unix.stackexchange.com/question … edora?rq=1, this behaviour is being caused because of the shared flag that's been set on the mount points, which can be seen in /proc/self/mountpoints
$ cat /proc/self/mountinfo
14 19 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
15 19 0:14 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sys rw
16 19 0:5 / /dev rw,nosuid,relatime shared:2 - devtmpfs dev rw,size=1947868k,nr_inodes=486967,mode=755
17 19 0:15 / /run rw,nosuid,nodev,relatime shared:11 - tmpfs run rw,mode=755
19 0 8:3 / / rw,relatime shared:1 - ext4 /dev/sda3 rw,data=ordered
20 15 0:17 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw
21 16 0:18 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw
22 16 0:11 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
23 15 0:19 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,mode=755
24 23 0:20 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
25 15 0:21 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:10 - pstore pstore rw
26 23 0:22 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,cpuset
27 23 0:23 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,cpu,cpuacct
28 23 0:24 / /sys/fs/cgroup/net_cls rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,net_cls
29 23 0:25 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,freezer
30 23 0:26 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,blkio
31 23 0:27 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,memory
32 23 0:28 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,devices
33 14 0:29 / /proc/sys/fs/binfmt_misc rw,relatime shared:19 - autofs systemd-1 rw,fd=24,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
35 15 0:6 / /sys/kernel/debug rw,relatime shared:20 - debugfs debugfs rw
34 16 0:30 / /dev/hugepages rw,relatime shared:21 - hugetlbfs hugetlbfs rw
36 15 0:31 / /sys/kernel/config rw,relatime shared:22 - configfs configfs rw
37 16 0:13 / /dev/mqueue rw,relatime shared:23 - mqueue mqueue rw
38 19 0:32 / /tmp rw shared:24 - tmpfs tmpfs rw
64 19 8:4 / /home rw,nosuid,nodev,relatime shared:25 - ext4 /dev/sda4 rw,data=ordered
97 17 0:33 / /run/user/997 rw,nosuid,nodev,relatime shared:56 - tmpfs tmpfs rw,size=390184k,mode=700,uid=997,gid=997
100 17 0:34 / /run/user/1000 rw,nosuid,nodev,relatime shared:58 - tmpfs tmpfs rw,size=390184k,mode=700,uid=1000,gid=1000
132 38 0:35 / /tmp/tmp.TfgQ6jS2ei rw,relatime shared:60 - tmpfs tmpfs rwAll the mount points seem to be having the 'shared' optional flag. Why are all mountpoints getting this flag? Where does this field get set. According to the shared subtree documentation in the kernel tree. The default mount should be a private mount (https://www.kernel.org/doc/Documentatio … ubtree.txt) :
2c) A private mount does not forward or receive propagation.
This is the mount we are familiar with. Its the default type.I've tried setting the mount using the '--make-private' flag, but the files were still visible in the other bash process. Am I missing something here??
Offline
I was having the same problem. It looks like this is a default systemd behavior.
http://cgit.freedesktop.org/systemd/sys … a7c411f0a0
Apparently, you will need to explicitly specify 'private' or 'rprivate' in the mount options for your root filesystem in fstab in order to override this behavior.
From mount(8):
Since util-linux 2.23 the mount command allows to use several propagation flags together and also together with other mount operations. This feature is
EXPERIMENTAL. The propagation flags are applied by additional mount(2) syscalls when the preceding mount operations were successful. Note that this use case
is not atomic. It is possible to specify the propagation flags in fstab(5) as mount options (private, slave, shared, unbindable, rprivate, rslave, rshared,
runbindable).In order to mark a single mount point as private, you start by binding the directory to itself so that it is recognized as an active mount.
# unshare -m
# mount_point=$(mktemp -d --tmpdir=/tmp) && echo $mount_point
/tmp/tmp.Mu8gikEpMb/
# mount --bind $mount_point $mount_pointThen you can mark it as private and mount your private filesystem.
# mount --make-private $mount_point
# mount -t tmpfs tmpfs $mount_point
# echo 'mydata' > $mount_point/myfile.txtYou will now notice that the mounted filesystem cannot be accessed by a process in a separate namespace.
$ ls /tmp/tmp.Mu8gikEpMb/
$Last edited by ub1quit33 (2015-06-27 23:51:35)
Offline