Use mount namespace instead of chroot #62
Conversation
|
I would like to get #61 merged first and I will rebase it. I keep it as draft for the moment. |
valentindavid
force-pushed
the
valentindavid/namespace
branch
3 times, most recently
from
de1ca25
to
4d57eb8
Compare
valentindavid
force-pushed
the
valentindavid/namespace
branch
from
4d57eb8
to
1b84617
Compare
| ;; | ||
| esac | ||
| done | ||
| exec unshare --mount --root="${sysroot}" -- "${@}" |
There was a problem hiding this comment.
Maybe it would be good to add comments on why we need to call unshare twice (from spawn, then from init) and why we use exec the second time.
mount-ns.sh
Outdated
| mount -t tmpfs -o mode=1777 tmpfs "${sysroot}/tmp" | ||
| mount -t tmpfs -o mode=0755 tmpfs "${sysroot}/run" | ||
| trap cleanup EXIT | ||
| unshare --pid --fork --mount -- "${0}" init "${sysroot}" "${@}" |
There was a problem hiding this comment.
Please add comment clarifying that you are calling the script again with a different command.
There was a problem hiding this comment.
Done.
I have also noticed there was a potential race condition with the tmpfs when launch multiple time in the same time. So I have changed the tmpfs to be mounted in a temporary directory and bind mounted in the second phase.
valentindavid
force-pushed
the
valentindavid/namespace
branch
from
1b84617
to
0382fde
Compare
Namespaces can isolate better than chroot in general. My main reason here is that we can hide the mounts done within the namespace to the rest system. So when the build is done and some mounts were not unmounted properly, it is fine, because they will be removed with the namespace. Mounting of |
This allow to not worry about mounts done within the namespace. We can now bind mount files into the sysroot instead of copying them.
valentindavid
force-pushed
the
valentindavid/namespace
branch
from
0382fde
to
a931362
Compare
This allow to not worry about mounts done within the namespace. We
can now bind mount files into the sysroot instead of copying them.