From 9207121ecaa5f68af7ceba5ff8ff414d312d2c87 Mon Sep 17 00:00:00 2001
From: iamwwc <iam.wuweichao@gmail.com>
Date: Sat, 7 Sep 2019 18:56:03 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9D=A5=E8=87=AA=20https://github.com/xianlub?=
 =?UTF-8?q?ird/mydocker/issues/41#issuecomment-478799767?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

```
// systemd 加入linux之后, mount namespace 就变成 shared by default, 所以你必须显示
	//声明你要这个新的mount namespace独立。
	syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "")

	defualtMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
	syscall.Mount("proc", "/proc", "proc", uintptr(defualtMountFlags), "")
```

开个分支测试，如果失败，那么虚拟机回滚
---
 cmd/init.go | 39 +++++++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/cmd/init.go b/cmd/init.go
index 6c7a71f..0c5047c 100644
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -14,8 +14,6 @@ import (
 	"github.com/urfave/cli"
 )
 
-
-
 var InitCommand = cli.Command{
 	Name:  "__DON'T__CALL__wwcdocker__init__",
 	Usage: "Used in Container, User are forbidden to call this command",
@@ -33,20 +31,9 @@ var InitCommand = cli.Command{
 			log.Error(err)
 			return err
 		}
-		pwd, err := os.Getwd()
-		if err != nil {
-			log.Errorf("Get current working directory error. %s", err)
-			return err
-		}
-		if err := container.PivotRoot(pwd); err != nil {
-			log.Errorf("Error when call pivotRoot %v", err)
-			return err
-		}
-		defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID
-		if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {
-			return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err)
-		}
-		syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755")
+
+		setUpMount()
+
 		cmdArrays := strings.Split(b, " ")
 		absolutePath, err := exec.LookPath(cmdArrays[0])
 		args := cmdArrays[1:]
@@ -64,3 +51,23 @@ var InitCommand = cli.Command{
 	Hidden:   true,
 	HideHelp: true,
 }
+
+func setUpMount() error {
+	pwd, err := os.Getwd()
+	if err != nil {
+		log.Errorf("Get current working directory error. %s", err)
+		return err
+	}
+	if err := container.PivotRoot(pwd); err != nil {
+		log.Errorf("Error when call pivotRoot %v", err)
+		return err
+	}
+
+	syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "")
+
+	defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID
+	if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {
+		return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err)
+	}
+	return syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755")
+}