From: Ximin Luo <infinity0@pwned.gg>
To: Karel Zak <kzak@redhat.com>, "Eric W. Biederman" <ebiederm@xmission.com>
Cc: util-linux@vger.kernel.org
Subject: Re: Bug: for mount namespaces inside a chroot, unshare works but nsenter doesn't
Date: Fri, 10 Nov 2017 14:22:00 +0000 [thread overview]
Message-ID: <a72a1d51-fd15-761b-95a3-a99bd6fca524@pwned.gg> (raw)
In-Reply-To: <20171110131458.7xlnbf7ayvtk7r2r@ws.net.home>
Karel Zak:
> [..]
>
>> My personal recommendation is not to use chroot with persistent mount
>> namespaces. That just seems to keep unnecessary mounts around. Those
>> extra mounts will almost certainly be a problem later when you discover
>> you want to unmount one of those mounted filesystems you don't care
>> about but are chrooting over.
>>
>> I think it would be quite reasonable to have an additional option to
>> open things in the new mount namespace, just before exec. I just don't
>> see how useful it would be.
>
> It would be solution for this use-case, but it will increase
> complexity and I'm not sure this use-case is important enough.
>
> Especially if the all you need is to use chroot command before nsenter.
> I don't think nsenter has to be all-in-one command. It's very basic
> tool.
>
My nsenter code may be run inside or outside a chroot, I have no control over that in the general case - users decide whether they want to run it inside a chroot or not.
The issue with using the chroot(1) command, is that you must give it the path to the chroot *from outside the chroot*. I don't know of a clean way to figure this out from my code, that starts life running from inside the chroot, and just wants to unshare part of the tree that it sees there.
An option to open root/wd in the new ns, sounds like it would allow me (and others) to write code that is chroot-independent. I'd very much appreciate that.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
next prev parent reply other threads:[~2017-11-10 14:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-27 18:07 Bug: for mount namespaces inside a chroot, unshare works but nsenter doesn't Ximin Luo
2017-11-03 13:33 ` Karel Zak
2017-11-09 22:54 ` Eric W. Biederman
2017-11-10 13:14 ` Karel Zak
2017-11-10 14:22 ` Ximin Luo [this message]
2017-11-24 13:09 ` Ximin Luo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a72a1d51-fd15-761b-95a3-a99bd6fca524@pwned.gg \
--to=infinity0@pwned.gg \
--cc=ebiederm@xmission.com \
--cc=kzak@redhat.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).