File lock (flock) in another namespace.

I am working on various projects rely on a privileged container(Docker), in which case the process running inside the container will have the ability to switch namespace to the host. Sometimes, we want to make sure certain thing won't happen simultaneously on the host in the case of multiple instances of the container is running. But bind-mount an additional directory just for this purpose seems unnecessarily cumbersome, and especially we already have the ability to switch to the host namespace (especially mount namespace) for certain operations.

But as a Go program, it's hard to hold a file descriptor in another namespace to perform flock operation, since nsenter, which is the easiest way to switch namespace, is a bash program. Of course, you can call setns syscall used by nsenter to get the process into the new namespace, though that means you got to rewrite the nsenter just for grabbing a lock.

This library provides a reliable way to do so without rewrite nsenter.

The target is simply: simulate the behavior of flock in another namespace.

The most import behavior of flock is:

The lock will expire immediately when the process holding file descriptor exits.

It's the key reason why we don't want to create a file in the other namespace to simulate the lock. In that case, the crash of process holding the lock will result in infinitely blocking all the following processes.

For flock, since it's only related to opened file descriptor, as soon as the file descriptor is closed (e.g. unlock, or process crashed so OS release all its resources), the lock will expire.