I'm running the golang code on this repo https://github.com/lizrice/containers-from-scratch/blob/master/main.go and I'm having a problem with the mount namespace. What the code should do is creating a process within its own mount namespace. So if I run the code with sudo go run main.go run /bin/bash and I create a file inside the directory mytemp, I should be able to see that file from within the new started process, but if I try to view that file moving to the rootfs directory on the host, I shouldn't be able to see that file thanks to the mount namespace. Unfortunately I still see this file, so it seems that the process I run is not mount namespaced. To run the code, I used this https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz as a rootfs and moved it under /home/me. Then I created a mytemp directory to use as the tmpfs mount target. Do you have any ideas about the reasons why the process doesn't get mount namespaced?
Thanks!
This issue could be solved by configuring the host machine mount to be private which does not receive or forward any propagation events to other mounts, vide RedHat - Sharing Mounts.
This command should be executed on your host machine before your create the container:
$ mount --make-rprivate /