Can't get mount namespaces to behave as expected

Posted Mar 7, 2015 7:53 UTC (Sat) by apollock (guest, #14629)
In reply to: Can't get mount namespaces to behave as expected by mkerrisk
Parent article: Namespaces in operation, part 4: more on PID namespaces

Because /proc was still getting clobbered outside of my namespace without it when I mounted it inside my namespace.

I was basically testing two scenarios:

1) Unmounting a filesystem that was mounted inside and outside the new namespace. Expected behaviour: it was only unmounted inside the new namespace

2) Mounting /proc inside the new namespace. Expected behaviour: only seeing the process entries for processes inside the new namespace inside the namespace, and there being no impact outside this namespace

to post comments

Can't get mount namespaces to behave as expected

Posted Mar 7, 2015 10:04 UTC (Sat) by mkerrisk (subscriber, #1978) [Link] (1 responses)

So, going back to your earlier comment:

> It looks like I have to do the same thing to /proc prior to mounting it

Yes, you're right. I was getting confused with another case, where if we mount a procfs at a location other than the usual /proc, then we need to make / a private or slave mount in order not to have that mount appear in the initial mount namespace.

So, in fact all that's needed if we're mounting at /proc inside the simple_init program is

# ./ns_child_exec -p -m ./simple_init
init$ mount --make-slave /proc            # <== NEW
init$ mount -t proc proc /proc
init$ ps a

Nothing needs to be done to /, as far as I can tell.

Can't get mount namespaces to behave as expected

Posted Oct 10, 2017 1:54 UTC (Tue) by marcosps (subscriber, #115562) [Link]

Hello Michael,

what do you think about changing the article adding the --make-slave parameter mount? It made me turn off my computer twice, as the system gets unstable (at least n my fedora 26)...