| 1 |
On Mon, Oct 14, 2013 at 1:01 PM, Richard Yao <ryao@g.o> wrote: |
| 2 |
> |
| 3 |
> 1. What are mount namespaces? How do they integrate with the kernel? |
| 4 |
> 2. What does systemd do with them? What does systemd's use of them |
| 5 |
> provide to users? |
| 6 |
> |
| 7 |
> Saying to google "per-process namespaces" does not really answer that. |
| 8 |
> Per-process namespaces provide a means to isolate processes into |
| 9 |
> containers that they have their own pid numbers and can neither nor |
| 10 |
> interact with processes outside of the container via traditional IPC |
| 11 |
> mechanisms such as signals. It is similar to the concept of FreeBSD |
| 12 |
> jails. That does not tell me what a "mount namespace is" or why systemd |
| 13 |
> has anything to do with it. |
| 14 |
> |
| 15 |
|
| 16 |
You're describing a process namespace, which is only one type of |
| 17 |
namespace. All namespaces are "per-process," but process namespaces |
| 18 |
are just one type of per-process namespace. Confused yet? |
| 19 |
|
| 20 |
All processes within the same mount namespace see the same filesystem. |
| 21 |
If I run mount /dev/cdrom /mnt/cdrom in one process, then all |
| 22 |
processes in the same namespace will see it mounted. However, |
| 23 |
processes in another namespace will NOT see the new mount. |
| 24 |
|
| 25 |
To illustrate, if you are on linux with util-linux installed launch |
| 26 |
two root shells, and in one execute: |
| 27 |
mkdir /tmp/foo |
| 28 |
touch /tmp/foo/a |
| 29 |
unshare -m /bin/bash |
| 30 |
mount -t tmpfs none /tmp/foo |
| 31 |
touch /tmp/foo/b |
| 32 |
ls /tmp/foo |
| 33 |
|
| 34 |
Then run ls /tmp/foo in your other process. They'll see two different |
| 35 |
directories, because the tmpfs mounted in the separate namespace |
| 36 |
created by unshare is not visible to any other process. To clean up |
| 37 |
within the namespace umount /tmp/foo and exit (I have no idea if it is |
| 38 |
possible to unmount the tmpfs if you exit first, or if the kernel does |
| 39 |
it for you). |
| 40 |
|
| 41 |
The possibilities are endless. You could mount an encrypted home for |
| 42 |
a user and make it visible only to the user. Containers are an |
| 43 |
obvious way to use them. |
| 44 |
|
| 45 |
Systemd lets you configure daemons to have restricted access to the |
| 46 |
filesystem as well - either read-only, or not at all - by directory. |
| 47 |
I assume it just clones the mount namespace, and then sets up |
| 48 |
bind-mounts to implement this before dropping root and launching the |
| 49 |
process. |
| 50 |
|
| 51 |
Rich |
Archives