Hi Liz,

I've been following "Building Containers from Scratch with Go on Safari".
Thank you very much for this course, I love it!

I hope you can shine some light on an issue I'm having with "Container Process IDs and Mounts in Go". Somehow CLONE_NEWNS doesn't hide my mount-points in the container from the host, so running mount | grep something on the host still shows mount-points from the container.
After a bit of researching, I was able to hide them, but only after setting the mount option MS_PRIVATE on / before forking. I'm running Ubuntu 16.04.3 LTS with the 4.4.0-101-generic kernel by the way.

Does this sound familiar to you?

Regards, and thanks again,

Mel.

Hi @mlvnd, thanks for your very kind comments!

Yes, it does sound familiar. I have a note to myself somewhere about mounting root with the --make-rprivate flag so that mount points aren't shared. Sounds like setting the MS_PRIVATE flag is the better way of achieving this - thank you so much for letting me know about it!

Hi @lizrice,

You're welcome. I can submit a PR if you like. I got it working like this, but maybe there are other/better ways:

must(syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, ""))
must(cmd.Run())

That sounds good!

But now you have got me wondering whether it work to make a similar call to mount() with the private + recursive flags in the child, after the chroot? If that worked, it would only affect the part of the host file system that the container is using, which would be nice...

I haven't tried it, and I'd accept your PR as proposed - I'm just curious so if you happen to have time to try it out, let me know how it goes!

Hi @lizrice,

I tested your proposal and it works great! However, I spent some more time researching and noticed that this problem was marked as a bug in Go, which got fixed in 1.9 (see os/exec: handle Unshareflags with CLONE_NEWNS for more info). I'd guess you would agree this is an even nicer solution. :)

Thanks Liz!