On Thu, Jun 04, 2026 at 08:15:35PM +1000, Ralph Ronnquist wrote:
> On Thu, Jun 04, 2026 at 04:03:44AM +0000, Christian Albrecht Goeschel
> Ndjomouo wrote:
> > $ unshare --mount --pid --fork
> > $ mount --bind FS FS/
> > $ cd FS/
> > $ mkdir -p old_root/
> > $ /sbin/pivot_root . old_root/
> > $ cd /
> > $ mount -t proc proc /proc
> > $ umount -l old_root/
> > $ rmdir old_root
> >
> > You should then be able to see the exact same mnt namespace ID.
> >
> > $ ls -l /proc/1/ns/mnt
> > [...] /proc/1/ns/mnt -> 'mnt:[4026533461]'
> > $ nsenter --mount --target 1 -- ls -l /proc/1/ns/mnt
> > [...] /proc/1/ns/mnt -> 'mnt:[4026533461]'
> >
> >
> > Maybe Karel has more to say about this.
> >
> > Anyways I hope this cleared up at least some of the confusion.
>
> Quite subtile, but I can confirm also in my actual setting (which is a
> simple and plain "overlay-boot" example).
>
> I will need a couple of sleeps before I fully grasp that "absolute
> root" notion. However the recepie you outline does bring the desired
> effect of eliminating that namespace eascape for me.
I'd suggest using `unshare` to mount the proc:
unshare --mount --pid --mount-proc
You might also want to add `--root dir`, otherwise `/proc` is mounted
privately in the current root.
Also, note that `nsenter --target 1 -m` enters only the mount
namespace, while `nsenter --target 1 --all` enters all namespaces.
Karel
--
Karel Zak <[email protected]>
http://karelzak.blogspot.com
