来自

xianlubird/mydocker#41 (comment) ``` // systemd 加入linux之后, mount namespace 就变成 shared by default, 所以你必须显示 //声明你要这个新的mount namespace独立。 syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "") defualtMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV syscall.Mount("proc", "/proc", "proc", uintptr(defualtMountFlags), "") ``` 开个分支测试，如果失败，那么虚拟机回滚
taikulawo · Sep 7, 2019 · 9207121 · 9207121
1 parent 290f93a
commit 9207121
Showing 1 changed file with 23 additions and 16 deletions.
diff --git a/cmd/init.go b/cmd/init.go
@@ -14,8 +14,6 @@ import (
 	"github.com/urfave/cli"
 )
 
-
-
 var InitCommand = cli.Command{
 	Name:  "__DON'T__CALL__wwcdocker__init__",
 	Usage: "Used in Container, User are forbidden to call this command",
@@ -33,20 +31,9 @@ var InitCommand = cli.Command{
 			log.Error(err)
 			return err
 		}
-		pwd, err := os.Getwd()
-		if err != nil {
-			log.Errorf("Get current working directory error. %s", err)
-			return err
-		}
-		if err := container.PivotRoot(pwd); err != nil {
-			log.Errorf("Error when call pivotRoot %v", err)
-			return err
-		}
-		defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID
-		if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {
-			return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err)
-		}
-		syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755")
+
+		setUpMount()
+
 		cmdArrays := strings.Split(b, " ")
 		absolutePath, err := exec.LookPath(cmdArrays[0])
 		args := cmdArrays[1:]
@@ -64,3 +51,23 @@ var InitCommand = cli.Command{
 	Hidden:   true,
 	HideHelp: true,
 }
+
+func setUpMount() error {
+	pwd, err := os.Getwd()
+	if err != nil {
+		log.Errorf("Get current working directory error. %s", err)
+		return err
+	}
+	if err := container.PivotRoot(pwd); err != nil {
+		log.Errorf("Error when call pivotRoot %v", err)
+		return err
+	}
+
+	syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "")
+
+	defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID
+	if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {
+		return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err)
+	}
+	return syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755")
+}