Photo by Cameron Venti on Unsplash

Linux Namespaces (part 2/5)

Namespace: Mount (mnt)

For a short presentation of the functioning of this NS, I will use the command chroot. chroot itself doesn't have anything to do with the namespaces (at least nothing I know of). Still, I hope that a short example of usage chroot without and with mnt namespace will show possibilities of the namespaces itself.

Executing the first command makes the shell process started with the directory /directory set as the main file system (in the context of only this new shell process):

$ chroot /directory

The above will work, but if it is to make sense (for this exercise) /directory must include a basic file system with commands such as "ps" (and others) which we will use. How to prepare such a file system in a directory? In Debian, we can use a debootstrap, in other distributions you have to do it by yourself, or you have to omit using chroot and just improvise a bit.

When the file system is ready, and we already have executed the chroot command, we can continue:

(chroot)$ ps ax

It turns out that the above will not work, so we must first mount /proc:

(chroot)$ mount -t proc proc /proc

Now ps works, however when we will have finished playing with chroot:

(chroot)$ exit

It will turn out that we must also clean up, because proc in /directory/proc is still mounted (we can check it by invoking the command mount without any parameters or just by reviewing the content of /directory/proc):

$ sudo umount /directory/proc

And now let’s try to make it simpler by using mnt namespace:

$ sudo unshare -m chroot /directory

Unshare is a command that lets us create a new NS (we will need the administrator’s rights, that is why we use sudo). The command can start passed statement in a freshly created namespace(s). Let me remind: each process has an attributed id for each of the namespaces defined in the system. Here all of them except for NS "mnt" (-m) will be inherited from the parent's process; however NS "mnt" will be defined especially for a given process, and currently, it will be used only by this process.

After a standard:

(unshare)$ mount -t proc proc /proc

We can check a few things:

(1) lsns will show us a new namespace “mnt” attributed to our process of our new shell (we can check it through PID – echo $$ will display the process identifier - pid - of the shell)

(2) /proc from within the chrooted environment will not be visible in the host system (mount or ls /directory/proc will not show us anything – our chrooted /proc is mounted in another namespace and isolated from the "default" "mnt" NS

(3) Finishing work with chrooted shell will cause deleting a newly created NS (if no other process is using it) and automatically unmount the /proc system mounted "inside" chroot.

However before we finish experimenting with chrobot and NS (point 3 above), I would like to present a third, and last, command which helps us working with namespaces — nsenter — this command lets us “connect” to any NS (or a group of NS). Let’s assume that we have the same situation as the one above, after executing the commands:

$ sudo unshare -m chroot /directory 
(unshare)$ mount -t proc proc /proc
(unshare)$ echo $$

Now, in another terminal we execute the command:

$ sudo lsns 

4026532373 mnt 1 1234 root /bin/bash -i

Let’s assume that we would like to “connect” to this “mnt” namespace with another shell process — for that purpose we could use the command nsenter.

$ sudo nester –m –t 1234

And that’s it :) The shell process that will be started after the command will use the same “mnt” NS as the process 1234 — we can check it by, for instance, looking at the mounting points:

(nsetner)$ mount 

proc on /.../directory/proc type proc (rw,relatime)

In this particular case (after executing the command nsenter above) we are connected to NS, but we do not work in the chrooted environment – obviously it has consequences – I recommend experimenting with the above environments – that one created after the command unshare + chroot and nsenter!

And that’s all that I found interesting during my tests with “mnt” namespace — I hope you enjoyed it! Next week I will write a few words about three namespaces: utc, user and ipc.

<< Linux Namespaces (part 1/5) | Linux Namespaces (part 3/5) >>



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store