14

So I'm trying to get a handle on how Linux's mount namespace works. So, I did a little experiment and opened up two terminals and ran the following:

Terminal 1

root@goliath:~# mkdir a b
root@goliath:~# touch a/foo.txt
root@goliath:~# unshare --mount -- /bin/bash
root@goliath:~# mount --bind a b
root@goliath:~# ls b
foo.txt

Terminal 2

root@goliath:~# ls b
foo.txt

How come the mount is visible in Terminal 2? Since it is not part of the mount namespace I expected the directory to appear empty here. I also tried passing -o shared=no and using --make-private options with mount, but I got the same result.

What am I missing and how can I make it actually private?

Improve this question
2
  • mounts are system-wide, not specific to a shell environment. shared, slave, private, and unbindable are not what you think they are. read man mount.
    – cas
    Commented Nov 30, 2015 at 4:20
  • 3
    @cas: Agree that --make-private is not what I want. But, isn't that the point of mount namespaces (that they're not system wide)?
    – FatalError
    Commented Nov 30, 2015 at 4:24

3 Answers 3

Reset to default
14

If you are on a systemd-based distribution with a util-linux version less than 2.27, you will see this unintuitive behavior. This is because CLONE_NEWNS propogates flags such as shared depending on a setting in the kernel. This setting is normally private, but systemd changes this to shared. As of util-linux 2.27, a patch was made that changes the default behaviour of the unshare command to use private as the default propagation behaviour as to be more intuitive.

Solution

If you are on a systemd system with util-linux prior to version 2.27, you must remount the root filesystem after running the unshare command:

# unshare --mount -- /bin/bash
# mount --make-private -o remount /

If you are on a systemd system with util-linux version 2.27 or later, it should work as expected in the example you gave in your question, verbatim, without the need to remount. If not, pass --propagation private to the unshare command to force the propagation of the mount namespace to be private.

Improve this answer
0

this not worked in ubuntu, (15.04 and 14.04). it worked on fedora. and for fedora. whether you need --make-private or not, you can also check

cat /proc/self/mountinfo | grep shared

if shared, it means some other namespace still can see that mounts. Then it is systemd related issue. You can use --make-private to make it work

Improve this answer
0

On Debian 9 with util-linux prior to 2.27, Dave's solution does not work for me. However, this works:

mount --make-rprivate -o remount /

Note that there's a prefix r, which means recursively.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .