1 |
On Mon, Oct 14, 2013 at 1:01 PM, Richard Yao <ryao@g.o> wrote: |
2 |
> |
3 |
> 1. What are mount namespaces? How do they integrate with the kernel? |
4 |
> 2. What does systemd do with them? What does systemd's use of them |
5 |
> provide to users? |
6 |
> |
7 |
> Saying to google "per-process namespaces" does not really answer that. |
8 |
> Per-process namespaces provide a means to isolate processes into |
9 |
> containers that they have their own pid numbers and can neither nor |
10 |
> interact with processes outside of the container via traditional IPC |
11 |
> mechanisms such as signals. It is similar to the concept of FreeBSD |
12 |
> jails. That does not tell me what a "mount namespace is" or why systemd |
13 |
> has anything to do with it. |
14 |
> |
15 |
|
16 |
You're describing a process namespace, which is only one type of |
17 |
namespace. All namespaces are "per-process," but process namespaces |
18 |
are just one type of per-process namespace. Confused yet? |
19 |
|
20 |
All processes within the same mount namespace see the same filesystem. |
21 |
If I run mount /dev/cdrom /mnt/cdrom in one process, then all |
22 |
processes in the same namespace will see it mounted. However, |
23 |
processes in another namespace will NOT see the new mount. |
24 |
|
25 |
To illustrate, if you are on linux with util-linux installed launch |
26 |
two root shells, and in one execute: |
27 |
mkdir /tmp/foo |
28 |
touch /tmp/foo/a |
29 |
unshare -m /bin/bash |
30 |
mount -t tmpfs none /tmp/foo |
31 |
touch /tmp/foo/b |
32 |
ls /tmp/foo |
33 |
|
34 |
Then run ls /tmp/foo in your other process. They'll see two different |
35 |
directories, because the tmpfs mounted in the separate namespace |
36 |
created by unshare is not visible to any other process. To clean up |
37 |
within the namespace umount /tmp/foo and exit (I have no idea if it is |
38 |
possible to unmount the tmpfs if you exit first, or if the kernel does |
39 |
it for you). |
40 |
|
41 |
The possibilities are endless. You could mount an encrypted home for |
42 |
a user and make it visible only to the user. Containers are an |
43 |
obvious way to use them. |
44 |
|
45 |
Systemd lets you configure daemons to have restricted access to the |
46 |
filesystem as well - either read-only, or not at all - by directory. |
47 |
I assume it just clones the mount namespace, and then sets up |
48 |
bind-mounts to implement this before dropping root and launching the |
49 |
process. |
50 |
|
51 |
Rich |