creating unshared namespaces
Question
When running unshare command ( man 1 unshare ), which allows to execute a command in a separate namespace from the shell, why do I still see all processes from the host? Is PID namespace not unshared by design?
Thanks.
1 answers
solution1
0 2017-11-14 22:01:04
unshare unshares only those namespace that you have set via options. Please, also take a special look at --mount-proc option (quote from unshare(1)):
Just before running the program, mount the proc filesystem at mountpoint (default is /proc). This is useful when creating a new PID namespace. It also implies creating a new mount namespace since the /proc mount would otherwise mess up existing programs on the system. The new proc filesystem is explicitly mounted as private (with MS_PRIVATE|MS_REC).
This is important as ps command read pids from /proc fs (see ps(1)):
This ps works by reading the virtual files in /proc.
See also pid_namespaces(7):
After creating a new PID namespace, it is useful for the child to <...> mount a new procfs instance at /proc so that tools such as ps(1) work correctly.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.