unshare

Why unshare with chroot does not isolate /dev like /proc?

Why unshare with chroot does not isolate /dev like /proc? I am following Container from scratch by Kevin Boone I have alpine mini root filesystem under /mnt/container/ I am a little puzzled about how the mount works with chroot and unshare involved. Without unshare if we do chroot /mnt/container /bin/sh -l we get a container(kind …

Total answers: 2

How do you get the child pid of `unshare` when using –fork for `nsenter -t <pid>`?

How do you get the child pid of `unshare` when using –fork for `nsenter -t <pid>`? When using unshare –pid –fork, the nsenter command must attach to the child pid not the unshare pid to get to the right pid namespace. I can get unshare’s pid as follows: unshare –pid –mount –fork –mount-proc bash & …

Total answers: 1

How to login to a user namespace created by unshare?

How to login to a user namespace created by unshare? How to login to a user namespace created by unshare -U from another terminal? Asked By: Franc M || Source there’s no such thing as "logging in to a user namespace"; a user namespace is not a virtual machine running a login interface, or something …

Total answers: 1

Losing permissions by adding capability?

Losing permissions by adding capability? I observed the following phenomenon that I can not explain. After adding the CAP_SYS_ADMIN capability, unshare is no longer able to write to /proc/self/setgroups. In fact, writing to this file requires the capability, but that is achieved by changing the user namespace. So why does adding the capability to the …

Total answers: 1

How can I check if cgroups are available on my Linux host?

How can I check if cgroups are available on my Linux host? Is there a command to check if the container services are running on a Linux system? Someone suggested unshare but I am not sure if that is the best way to do it. Asked By: codeforester || Source UPDATE: Upon re-reading your question, …

Total answers: 2

Why does unshare based killing only work reliably with –fork?

Why does unshare based killing only work reliably with –fork? From this answer we have learned that you can implement reliable killing of entire process subtrees with Linux PID namespaces via unshare -p. Here is problem with it that I don’t understand: It only works when I use the -f/–fork option to unshare. unshare -fp …

Total answers: 1