Comments (5)
lizrice
commented on June 3, 2024
Hi @mlvnd, thanks for your very kind comments!
Yes, it does sound familiar. I have a note to myself somewhere about mounting root with the --make-rprivate flag so that mount points aren't shared. Sounds like setting the MS_PRIVATE flag is the better way of achieving this - thank you so much for letting me know about it!
from containers-from-scratch.
mlvnd
commented on June 3, 2024
Hi @lizrice,
You're welcome. I can submit a PR if you like. I got it working like this, but maybe there are other/better ways:
must(syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, ""))
must(cmd.Run())
from containers-from-scratch.
lizrice
commented on June 3, 2024
That sounds good!
But now you have got me wondering whether it work to make a similar call to mount() with the private + recursive flags in the child, after the chroot? If that worked, it would only affect the part of the host file system that the container is using, which would be nice...
I haven't tried it, and I'd accept your PR as proposed - I'm just curious so if you happen to have time to try it out, let me know how it goes!
from containers-from-scratch.
mlvnd
commented on June 3, 2024
Hi @lizrice,
I tested your proposal and it works great! However, I spent some more time researching and noticed that this problem was marked as a bug in Go, which got fixed in 1.9 (see os/exec: handle Unshareflags with CLONE_NEWNS for more info). I'd guess you would agree this is an even nicer solution. :)
from containers-from-scratch.
mlvnd
commented on June 3, 2024
Thanks Liz!
from containers-from-scratch.
Related Issues (10)
- unknown field 'Cloneflags' in struct literal of type syscall.SysProcAttr HOT 10
- panic on ubuntu 16.04 ARMv8 HOT 2
- How does the /proc mounting work? HOT 1
- Failed to create new OS Thread HOT 1
- must(syscall.Chroot("/rootfs")) gives not such file or directory HOT 2
- Can't access any external network resources HOT 3
- root filesystem and chroot example not working HOT 2
- Any ideas about that why this code is not working in a Docker container. HOT 2
- cgroupsv2 adjustments proposal HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from containers-from-scratch.