Reputation: 6494
unshare/isolate mount namespace
I'm trying to set up a linux container with isolated mount namespace using unshare tool from util-linux package :
% sudo unshare -m -f /bin/bash
So I'm expecting that bash will be launched in a namespace, where the mount namespace, i.e. filesystems, will be completely isolated form the host one, however I still can modify the host FS (create/delete files on the host FS). What am I doing wrong here?
Upvotes: 1
Views: 1916
Answers (2)
Reputation: 43115
A mount namespace only creates a separate mount tree by copying the parent tree.
You still have to remount the file systems as read-only, unmount them, mount a tmpfs over them or pivot_root into a clean tree to prevent access. Switching to an umapped user via user namespaces can help to some extent but it won't prevent access to world-readable/writable files.
If you need to setup more complex namespace environments - containers basically - you can use firejail or runc to automate those tasks based on configuration files. systemd-nspawn provides some intermediate featureset between accessing the primitives directly, as unshare does, and container runtimes.
Upvotes: 4
Reputation: 6494
I assume that mount namespace is isolated because mount/unmount in the namespace does not have impact on the host FS. So I think modifying FS is another issue, probably related to userns, but not fully sure about this.
Upvotes: 0
Related Questions
- Injecting a mount into a disjoint mount namespace behind a private mount propagation?
- Does containers in a Kubernetes Pod run in different "mount" namespaces?
- Mount filesystem after clone with CLONE_NEWNS flag
- Propagate a mount from child namespace to the parent namespace?
- unshare mount namespace not working as expected
- why CLONE_NEWNS can not make mount namespace isolated?
- mount() after clone() with CLONE_NEWNS set effects parent
- Docker Namespace in kernel level
- Docker mount namespace
- Docker mount namespace to share between containers