创建新的名字空间

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <unistd.h>

static char child_stack[1048576];

static int child_fn() {
	printf("PID: %ld\n", (long)getpid());
	sleep(100000);
	return 0;
}

int main(int ac, char** av) {
	int ch;
	int flag = SIGCHLD;
	while((ch = getopt(ac, av, "pmnuU")) != -1) {
		switch(ch) {
			case 'p':
				flag |= CLONE_NEWPID;break;
			case 'm':
				flag |= CLONE_NEWNS;break;
			case 'n':
				flag |= CLONE_NEWNET;break;
			case 'u':
				flag |= CLONE_NEWUTS;break;
			case 'U':
				flag |= CLONE_NEWUSER;break;
		}
	}

	pid_t child_pid = clone(child_fn, child_stack+1048576, flag, NULL);
	printf("clone() = %ld\n", (long)child_pid);

	waitpid(child_pid, NULL, 0);
	return 0;
}

#define _GNU_SOURCE

#include <sched.h>

#include <stdio.h>

#include <stdlib.h>

#include <sys/wait.h>

#include <unistd.h>

static char child_stack[1048576];

static int child_fn() {

printf("PID: %ld\n", (long)getpid());

sleep(100000);

return 0;

}

int main(int ac, char** av) {

int ch;

int flag = SIGCHLD;

while((ch = getopt(ac, av, "pmnuU")) != -1) {

switch(ch) {

case 'p':

flag |= CLONE_NEWPID;break;

case 'm':

flag |= CLONE_NEWNS;break;

case 'n':

flag |= CLONE_NEWNET;break;

case 'u':

flag |= CLONE_NEWUTS;break;

case 'U':

flag |= CLONE_NEWUSER;break;

}

pid_t child_pid = clone(child_fn, child_stack+1048576, flag, NULL);

printf("clone() = %ld\n", (long)child_pid);

waitpid(child_pid, NULL, 0);

return 0;

}

功能：创建新的名字空间，并使得进程处于sleep状态，可以随时nsenter进来

测试 mnt 时发现，似乎并没有实现mount的隔离；测试方法：

./new-namespace -m &

然后使用nsenter，分别在名字空间内外查看 /proc/self/mountinfo 的内容，发现如何操作，内外都是一致的。

注意：需要和pid名字空间一起使用：

./new-namespace -m -p &amp;
nsenter -m -p -t $pid

1 2	./new-namespace -m -p & nsenter -m -p -t $pid

参考： https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces

加入对话

取消回复