Why unshare -p does not imply -f and --mount-proc?Why is my bind mount visible outside its mount...
What is the proper name for a circle with a line through it?
How do I ask for 2-3 days per week remote work in a job interview?
What is the opposite of "hunger level"?
How to get locks that are keyed alike?
If a person claims to know anything could it be disproven by saying 'prove that we are not in a simulation'?
Will some rockets really collapse under their own weight?
Source that you can't tell your wife not to lend to others
Did Pope Urban II issue the papal bull "terra nullius" in 1095?
Why do so many people play out of turn on the last lead?
How to prevent criminal gangs from making/buying guns?
What if a restaurant suddenly cannot accept credit cards, and the customer has no cash?
Help, I cannot decide when to start the story
How can I shoot a bow using Strength instead of Dexterity?
Is it really Security Misconfiguration to show a version number?
How to measure if Scrum Master is making a difference and when to give up
Adding things to bunches of things vs multiplication
Are there any cons in using rounded corners for bar graphs?
What exactly happened to the 18 crew members who were reported as "missing" in "Q Who"?
Why do my bicycle brakes get worse and feel more 'squishy" over time?
Can someone with Extra Attack do a Commander Strike BEFORE he throws a net?
Escape Velocity - Won't the orbital path just become larger with higher initial velocity?
How can I communicate my issues with a potential date's pushy behavior?
Does an Irish VISA WARNING count as "refused entry at the border of any country other than the UK?"
Did Michelle Obama have a staff of 23; and Melania have a staff of 4?
Why unshare -p does not imply -f and --mount-proc?
Why is my bind mount visible outside its mount namespace?when use systemd start ntpd mount namespace is different from pid 1Why does unshare based killing only work reliably with --fork?Why do I get permission denied when using unshare?Why are Linux namespace links in /proc red in color?Why can I not bind a mount namespace to a fileAbout mounting and umounting inherited mounts inside a newly-created mount namespace
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
The man page specifies that you may be interested in using --fork and --mount-proc when creating a PID namespace, but why those options are not default?
process namespace unshare
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The man page specifies that you may be interested in using --fork and --mount-proc when creating a PID namespace, but why those options are not default?
process namespace unshare
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The man page specifies that you may be interested in using --fork and --mount-proc when creating a PID namespace, but why those options are not default?
process namespace unshare
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The man page specifies that you may be interested in using --fork and --mount-proc when creating a PID namespace, but why those options are not default?
process namespace unshare
process namespace unshare
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
edited yesterday
Yilmaz
1311 silver badge10 bronze badges
1311 silver badge10 bronze badges
asked yesterday
jacjac
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
jacjac
93 bronze badges
asked yesterday
jacjac
93 bronze badges
93 bronze badges
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jac is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Linux namespaces are created using the unshare(2) system call. The unshare program is simply a thin wrapper around the unshare(2) system call that exposes namespace functionality in a way that remains close to as flexible as the underlying system call.
For most namespaces, unshare(2) modifies the calling processes runtime environment, detaching it from the parent namespace, and associating it with a new, typically empty namespace. For example a process that unshares itself from the network namespace immediately sees a new, empty network namespace with no devices.
The PID namespace, however works differently. When unshare() is called to detach a PID namespace, it doesn't modify the calling processes runtime environment, but instead causes the child process after a fork() to enter the new pid namespace, and receive PID 1 within the new namespace. The PID 1 is reserved for the init process.
As to likely reasons why the --fork and --mount-proc are not the default options:
--forkis likely not the default as no other namespace requires a fork, and having the--forkas a separate options keeps the behavior of the--pidoption consistent with how the other namespace options map directly tounshare(2)flags.--mount-procis likely not the default as it implies a mount namespace (--mount), and this similarly to--forkperforms additional actions besidesunshare(2)with the appropriate flags.
To properly make use of PID namespaces requires a special program that is purposefully designed to take the role of init within the new namespace. Inside the new PID namespace, the process with pid 1 has three unique features when compared to other processes:
1) It does automatically receive default signal handers. This means that signals sent to it are ignored unless it the process explicitly registers signal handlers the signals.
2) If another process in the namespace dies before its children, its children will be reparented to the process with pid 1. This allows init to collect the exit status from the process so that the kernel can remove it from the process table.
3) If the process with PID 1 dies, every other process in the pid namespace will be forcibly terminated and the namespace destroyed.
For these reasons application processes usually aren't suitable to run as PID 1 within a PID namespace.
The addition of namespaces for various kernel controlled resources was primarily motivated by container technology, in particular system containers that which offer an environment very similar to conventional virtual machines (VMS) but without the overhead that comes with running a separate kernel simulating hardware to the VMs. Early on as namespaces were introduced to the Linux kernel (mainly between Linux 2.4.19 - 3.8), PID namespaces were introduced after Mount, UTS, IPC, and Network namespaces. Early versions of unshare set a precedent as how the different namespace options were expected to behave.
Before full-fledged container frameworks such as LXC and Docker were available, unshare could be used as a makeshift utility to spawn an init daemon (such as systemd) inside a new container (consisting of a new PID namespace and possibly other unshared namespaces). Such frameworks include their own functionality for launching containers without the need for unshare. Modern versions of systemd also support this functionality without the need for a separate unshare utility.
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
jac is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f535528%2fwhy-unshare-p-does-not-imply-f-and-mount-proc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Linux namespaces are created using the unshare(2) system call. The unshare program is simply a thin wrapper around the unshare(2) system call that exposes namespace functionality in a way that remains close to as flexible as the underlying system call.
For most namespaces, unshare(2) modifies the calling processes runtime environment, detaching it from the parent namespace, and associating it with a new, typically empty namespace. For example a process that unshares itself from the network namespace immediately sees a new, empty network namespace with no devices.
The PID namespace, however works differently. When unshare() is called to detach a PID namespace, it doesn't modify the calling processes runtime environment, but instead causes the child process after a fork() to enter the new pid namespace, and receive PID 1 within the new namespace. The PID 1 is reserved for the init process.
As to likely reasons why the --fork and --mount-proc are not the default options:
--forkis likely not the default as no other namespace requires a fork, and having the--forkas a separate options keeps the behavior of the--pidoption consistent with how the other namespace options map directly tounshare(2)flags.--mount-procis likely not the default as it implies a mount namespace (--mount), and this similarly to--forkperforms additional actions besidesunshare(2)with the appropriate flags.
To properly make use of PID namespaces requires a special program that is purposefully designed to take the role of init within the new namespace. Inside the new PID namespace, the process with pid 1 has three unique features when compared to other processes:
1) It does automatically receive default signal handers. This means that signals sent to it are ignored unless it the process explicitly registers signal handlers the signals.
2) If another process in the namespace dies before its children, its children will be reparented to the process with pid 1. This allows init to collect the exit status from the process so that the kernel can remove it from the process table.
3) If the process with PID 1 dies, every other process in the pid namespace will be forcibly terminated and the namespace destroyed.
For these reasons application processes usually aren't suitable to run as PID 1 within a PID namespace.
The addition of namespaces for various kernel controlled resources was primarily motivated by container technology, in particular system containers that which offer an environment very similar to conventional virtual machines (VMS) but without the overhead that comes with running a separate kernel simulating hardware to the VMs. Early on as namespaces were introduced to the Linux kernel (mainly between Linux 2.4.19 - 3.8), PID namespaces were introduced after Mount, UTS, IPC, and Network namespaces. Early versions of unshare set a precedent as how the different namespace options were expected to behave.
Before full-fledged container frameworks such as LXC and Docker were available, unshare could be used as a makeshift utility to spawn an init daemon (such as systemd) inside a new container (consisting of a new PID namespace and possibly other unshared namespaces). Such frameworks include their own functionality for launching containers without the need for unshare. Modern versions of systemd also support this functionality without the need for a separate unshare utility.
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
add a comment |
Linux namespaces are created using the unshare(2) system call. The unshare program is simply a thin wrapper around the unshare(2) system call that exposes namespace functionality in a way that remains close to as flexible as the underlying system call.
For most namespaces, unshare(2) modifies the calling processes runtime environment, detaching it from the parent namespace, and associating it with a new, typically empty namespace. For example a process that unshares itself from the network namespace immediately sees a new, empty network namespace with no devices.
The PID namespace, however works differently. When unshare() is called to detach a PID namespace, it doesn't modify the calling processes runtime environment, but instead causes the child process after a fork() to enter the new pid namespace, and receive PID 1 within the new namespace. The PID 1 is reserved for the init process.
As to likely reasons why the --fork and --mount-proc are not the default options:
--forkis likely not the default as no other namespace requires a fork, and having the--forkas a separate options keeps the behavior of the--pidoption consistent with how the other namespace options map directly tounshare(2)flags.--mount-procis likely not the default as it implies a mount namespace (--mount), and this similarly to--forkperforms additional actions besidesunshare(2)with the appropriate flags.
To properly make use of PID namespaces requires a special program that is purposefully designed to take the role of init within the new namespace. Inside the new PID namespace, the process with pid 1 has three unique features when compared to other processes:
1) It does automatically receive default signal handers. This means that signals sent to it are ignored unless it the process explicitly registers signal handlers the signals.
2) If another process in the namespace dies before its children, its children will be reparented to the process with pid 1. This allows init to collect the exit status from the process so that the kernel can remove it from the process table.
3) If the process with PID 1 dies, every other process in the pid namespace will be forcibly terminated and the namespace destroyed.
For these reasons application processes usually aren't suitable to run as PID 1 within a PID namespace.
The addition of namespaces for various kernel controlled resources was primarily motivated by container technology, in particular system containers that which offer an environment very similar to conventional virtual machines (VMS) but without the overhead that comes with running a separate kernel simulating hardware to the VMs. Early on as namespaces were introduced to the Linux kernel (mainly between Linux 2.4.19 - 3.8), PID namespaces were introduced after Mount, UTS, IPC, and Network namespaces. Early versions of unshare set a precedent as how the different namespace options were expected to behave.
Before full-fledged container frameworks such as LXC and Docker were available, unshare could be used as a makeshift utility to spawn an init daemon (such as systemd) inside a new container (consisting of a new PID namespace and possibly other unshared namespaces). Such frameworks include their own functionality for launching containers without the need for unshare. Modern versions of systemd also support this functionality without the need for a separate unshare utility.
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
add a comment |
Linux namespaces are created using the unshare(2) system call. The unshare program is simply a thin wrapper around the unshare(2) system call that exposes namespace functionality in a way that remains close to as flexible as the underlying system call.
For most namespaces, unshare(2) modifies the calling processes runtime environment, detaching it from the parent namespace, and associating it with a new, typically empty namespace. For example a process that unshares itself from the network namespace immediately sees a new, empty network namespace with no devices.
The PID namespace, however works differently. When unshare() is called to detach a PID namespace, it doesn't modify the calling processes runtime environment, but instead causes the child process after a fork() to enter the new pid namespace, and receive PID 1 within the new namespace. The PID 1 is reserved for the init process.
As to likely reasons why the --fork and --mount-proc are not the default options:
--forkis likely not the default as no other namespace requires a fork, and having the--forkas a separate options keeps the behavior of the--pidoption consistent with how the other namespace options map directly tounshare(2)flags.--mount-procis likely not the default as it implies a mount namespace (--mount), and this similarly to--forkperforms additional actions besidesunshare(2)with the appropriate flags.
To properly make use of PID namespaces requires a special program that is purposefully designed to take the role of init within the new namespace. Inside the new PID namespace, the process with pid 1 has three unique features when compared to other processes:
1) It does automatically receive default signal handers. This means that signals sent to it are ignored unless it the process explicitly registers signal handlers the signals.
2) If another process in the namespace dies before its children, its children will be reparented to the process with pid 1. This allows init to collect the exit status from the process so that the kernel can remove it from the process table.
3) If the process with PID 1 dies, every other process in the pid namespace will be forcibly terminated and the namespace destroyed.
For these reasons application processes usually aren't suitable to run as PID 1 within a PID namespace.
The addition of namespaces for various kernel controlled resources was primarily motivated by container technology, in particular system containers that which offer an environment very similar to conventional virtual machines (VMS) but without the overhead that comes with running a separate kernel simulating hardware to the VMs. Early on as namespaces were introduced to the Linux kernel (mainly between Linux 2.4.19 - 3.8), PID namespaces were introduced after Mount, UTS, IPC, and Network namespaces. Early versions of unshare set a precedent as how the different namespace options were expected to behave.
Before full-fledged container frameworks such as LXC and Docker were available, unshare could be used as a makeshift utility to spawn an init daemon (such as systemd) inside a new container (consisting of a new PID namespace and possibly other unshared namespaces). Such frameworks include their own functionality for launching containers without the need for unshare. Modern versions of systemd also support this functionality without the need for a separate unshare utility.
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
Linux namespaces are created using the unshare(2) system call. The unshare program is simply a thin wrapper around the unshare(2) system call that exposes namespace functionality in a way that remains close to as flexible as the underlying system call.
For most namespaces, unshare(2) modifies the calling processes runtime environment, detaching it from the parent namespace, and associating it with a new, typically empty namespace. For example a process that unshares itself from the network namespace immediately sees a new, empty network namespace with no devices.
The PID namespace, however works differently. When unshare() is called to detach a PID namespace, it doesn't modify the calling processes runtime environment, but instead causes the child process after a fork() to enter the new pid namespace, and receive PID 1 within the new namespace. The PID 1 is reserved for the init process.
As to likely reasons why the --fork and --mount-proc are not the default options:
--forkis likely not the default as no other namespace requires a fork, and having the--forkas a separate options keeps the behavior of the--pidoption consistent with how the other namespace options map directly tounshare(2)flags.--mount-procis likely not the default as it implies a mount namespace (--mount), and this similarly to--forkperforms additional actions besidesunshare(2)with the appropriate flags.
To properly make use of PID namespaces requires a special program that is purposefully designed to take the role of init within the new namespace. Inside the new PID namespace, the process with pid 1 has three unique features when compared to other processes:
1) It does automatically receive default signal handers. This means that signals sent to it are ignored unless it the process explicitly registers signal handlers the signals.
2) If another process in the namespace dies before its children, its children will be reparented to the process with pid 1. This allows init to collect the exit status from the process so that the kernel can remove it from the process table.
3) If the process with PID 1 dies, every other process in the pid namespace will be forcibly terminated and the namespace destroyed.
For these reasons application processes usually aren't suitable to run as PID 1 within a PID namespace.
The addition of namespaces for various kernel controlled resources was primarily motivated by container technology, in particular system containers that which offer an environment very similar to conventional virtual machines (VMS) but without the overhead that comes with running a separate kernel simulating hardware to the VMs. Early on as namespaces were introduced to the Linux kernel (mainly between Linux 2.4.19 - 3.8), PID namespaces were introduced after Mount, UTS, IPC, and Network namespaces. Early versions of unshare set a precedent as how the different namespace options were expected to behave.
Before full-fledged container frameworks such as LXC and Docker were available, unshare could be used as a makeshift utility to spawn an init daemon (such as systemd) inside a new container (consisting of a new PID namespace and possibly other unshared namespaces). Such frameworks include their own functionality for launching containers without the need for unshare. Modern versions of systemd also support this functionality without the need for a separate unshare utility.
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
edited yesterday
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
answered yesterday
Thomas NymanThomas Nyman
21.8k8 gold badges53 silver badges71 bronze badges
21.8k8 gold badges53 silver badges71 bronze badges
add a comment |
add a comment |
jac is a new contributor. Be nice, and check out our Code of Conduct.
jac is a new contributor. Be nice, and check out our Code of Conduct.
jac is a new contributor. Be nice, and check out our Code of Conduct.
jac is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f535528%2fwhy-unshare-p-does-not-imply-f-and-mount-proc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
