Linux – View/manipulate mount namespaces in Linux

linuxmountnamespace

Is there any way to view or manipulate the mount namespace for an arbitrary process?

For example, a docker container is running which has a local mount to an NFS server. It can be seen from inside the container, but on the outside, the host has no knowledge of it. With network namespaces this is doable. e.g. pipework

However, I see nothing about this for mount namespaces. Is there an API or sysfs layer exposed to view these mounts and manipulate or create new ones?

Best Answer

Yes. You can look at its /proc/$PID/mountinfo or else you can use the findmnt -N switch - about which findmnt --help says:

-N, --task <tid>
- use alternative namespace (/proc/<tid>/mountinfo file)

findmnt also tracks the PROPAGATION flag which is a mountinfo field which reports on exactly this information - which processes share which mounts.

Also, you can always nsenter any type of namespace you like - provided you have the correct permissions, of course.

 nsenter --help
Usage:
 nsenter [options] <program> [args...]

Options:
 -t, --target <pid>     target process to get namespaces from
 -m, --mount [=<file>]  enter mount namespace
 -u, --uts   [=<file>]  enter UTS namespace (hostname etc)
 -i, --ipc   [=<file>]  enter System V IPC namespace
 -n, --net   [=<file>]  enter network namespace
 -p, --pid   [=<file>]  enter pid namespace
 -U, --user  [=<file>]  enter user namespace
 -S, --setuid <uid>     set uid in user namespace
 -G, --setgid <gid>     set gid in user namespace
 -r, --root  [=<dir>]   set the root directory
 -w, --wd    [=<dir>]   set the working directory
 -F, --no-fork          do not fork before exec'ing <program>

 -h, --help     display this help and exit
 -V, --version  output version information and exit

For more details see nsenter(1).

Related Solutions

Linux – why do Linux bind mounts disappear if the mount point’s inode changes

This is mount propagation. Linux does not enable it by default, but systemd does. If you don't want mounts and unmounts to propagate to the new namespace, you can e.g. run mount --make-rprivate / inside it.. Narrator: this is not mount propagation.

Why is the mount removed on any inode change? Is it just an implementation detail of the mount system, where the mount point is identified by a dentry rather than a simple path?

I would say that the only different you can expect between rm b; mv c b and mv c b, is that it is not possible to observe b as non-existent at any point. I would describe this as a feature which has been deliberately engineered or maintained... I'm not sure to what extent this is true of the historical multi-user Unix system, but it certainly came to be relied upon e.g. to support software updates on a running system.

I... can think of exactly one other specific feature which has been implemented for what you call "inode change" - this was done begrudgingly and is filesystem-specific.

Linux – Understanding how mount namespaces work in Linux

mount namespaces differ in the arrangement of mounted filesystems.

This is very flexible, because mounts can be bind mounts of a sub-directory within a filesystem.

# unshare --mount  # run a shell in a new mount namespace

# mount --bind /usr/bin/ /mnt/
# ls /mnt/cp
/mnt/cp

# exit  # exit the shell, and hence the mount namespace

# ls /mnt/cp
ls: cannot access '/mnt/cp': No such file or directory

You can list your current set of mounts with the findmnt command.

In a full container, the root mount is replaced and you work with an entirely separate tree of mounts. This involves some extra details, such as the pivot_root() system call. You probably don't need to know exactly how to do that. Some details are available here: How to perform chroot with Linux namespaces?

Best Answer

Related Solutions

Linux – why do Linux bind mounts disappear if the mount point’s inode changes

Linux – Understanding how mount namespaces work in Linux

Related Question