Linux — Namespaces: Mount Namespace

In the first part of the series we have talked generally about what are namespace and what we can do with them — in case you want to go over it you can use the following link https://medium.com/@boutnaru/linux-namespaces-part-1-dcee9c40fb68. Now we are going to deep dive into the mount namespace.

The goal of mount namespace is to provide isolation regarding the list of mounts as seen by the process/tasks in each namespace. By doing so different processes/tasks that belong to different mount namespaces will see distinct directories hierarchies (https://man7.org/linux/man-pages/man7/mount_namespaces.7.html).

Using “/proc” we can inspect the mounting points visible for specific processes using “/proc/[PID]/mounts, “/proc/[PID]/mountinfo” and “/proc/[PID]/mountstats”. For more information about them I suggest reading https://man7.org/linux/man-pages/man5/proc.5.html. You can see the different outputs when reading the data in different mount namespace — as seen in the screenshot below.

After the implementation of mount namespaces the isolation they have created a problem. Think about a case when we add some device that we want to be visible on every namespace, for that we need to execute a “mount” command on each namespace. To overcome this the shared subtree feature was introduced in kernel 2.6.15 (https://lwn.net/Articles/689856/).

By using shared subtrees we can propagate mount/unmount events between distinct mount namespaces.(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/sect-using_the_mount_command-mounting-bind). It is designed to work between mounts that are members of the same peer group. Thus, “peer group” is defined as a group of vfsmounts that propagate events between each other (https://www.redhat.com/sysadmin/mount-namespaces).

We can control the propagation using the mount system call by passing one of the following “mountflags”: MS_SHARED, MS_PRIVATE, MS_SLAVE, or MS_UNBINDABLE (https://man7.org/linux/man-pages/man2/mount.2.html). For a detailed description of each flag I encourage you to read the following link https://hechao.li/2020/06/09/Mini-Container-Series-Part-1-Filesystem-Isolation/.

For more information about shared subtrees I suggest reading the kernel documentation (https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).