NIS<\/a><\/strong>\uff09\u3002<\/p>\n\u6587\u4ef6\u540d:uts.c<\/strong><\/p>\n#define _GNU_SOURCE \r\n#include <sys\/types.h>\r\n#include <sys\/wait.h>\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n\r\n\/* \u5b9a\u4e49\u4e00\u4e2a\u7ed9 clone \u7528\u7684\u6808\uff0c\u6808\u5927\u5c0f1M *\/\r\n#define STACK_SIZE (1024 * 1024) \r\nstatic char container_stack[STACK_SIZE];\r\n\r\nchar* const container_args[] = {\r\n \"\/bin\/bash\",\r\n NULL\r\n};\r\n\r\n\/* \u4e0euts\u6709\u5173\u7684\u4ee3\u7801:\u6b64\u5904\u53ea\u6f14\u793a\u4e3b\u673a\u540d\u7684\u9694\u79bb *\/\r\nint container_main(void* arg) \r\n{ \r\n printf(\"Container - inside the container!\\n\"); \r\n sethostname(\"container\",10); \/* \u8bbe\u7f6ehostname *\/ \r\n execv(container_args[0], container_args); \r\n printf(\"Something's wrong!\\n\"); \r\n return 1; \r\n} \r\n\r\nint main() \r\n{ \r\n printf(\"Parent - start a container!\\n\"); \r\n int container_pid = clone(container_main, container_stack+STACK_SIZE, \r\n CLONE_NEWUTS | SIGCHLD, NULL); \/*\u542f\u7528CLONE_NEWUTS Namespace\u9694\u79bb *\/ \r\n waitpid(container_pid, NULL, 0); \r\n printf(\"Parent - container stopped!\\n\"); \r\n return 0; \r\n} <\/code><\/pre>\n\u6d4b\u8bd5\u5f00\u8f9f\u4e00\u4e2a\u65b0\u7684UTS\u540d\u79f0\u7a7a\u95f4\/\u5bb9\u5668container\uff0c\u9a8c\u8bc1\u4e3b\u673a\u540d\u7684\u9694\u79bb\u6027:<\/strong><\/p>\n[egon@www ~]$ gcc -o uts uts.c #\u7f16\u8bd1utc.c\u5f97\u5230\u53ef\u6267\u884c\u6587\u4ef6uts\r\n[egon@www ~]$ sudo .\/uts #\u9700\u8981root\u6743\u9650\u624d\u80fd\u5f00\u8f9f\u65b0\u7684container\r\nParent - start a container!\r\nContainer - inside the container!\r\n[root@container egon]# #\u8fdb\u5165\u4e00\u4e2a\u9694\u79bb\u7684\u7a7a\u95f4\uff0c\u5373\u4e00\u4e2acontainer\r\n[root@container egon]# hostname #\u67e5\u770b\u8be5\u7a7a\u95f4\u4e0b\u7684\u4e3b\u673a\u540d\r\ncontainer\r\n[root@container egon]# exit #\u9000\u51fa\u8be5container\r\nexit\r\nParent - container stopped!\r\n[egon@www ~]$ hostname #\u67e5\u770b\u6700\u521d\u7684\u7a7a\u95f4\u4e0b\u7684\u4e3b\u673a\u540d\r\nwww.egon.org #\u53d1\u73b0\u786e\u5b9e\u4e0e\u521a\u521a\u6211\u4eec\u5f00\u8f9f\u7684container\u662f\u4e0d\u540c\u7684\u4e3b\u673a\u540d\uff0c\u9a8c\u8bc1\u4e86\u9694\u79bb\u6027\r\n[egon@www ~]$ <\/code><\/pre>\n2.2 IPC\u547d\u540d\u7a7a\u95f4\uff08\u7cfb\u7edf\u8c03\u7528CLONE_NEWIPC\uff09<\/h2>\n
IPC\u5168\u79f0 Inter-Process Communication\uff0c\u662fUnix\/Linux\u4e0b\u8fdb\u7a0b\u95f4\u901a\u4fe1\u7684\u4e00\u79cd\u65b9\u5f0f\uff0cIPC\u6709\u5171\u4eab\u5185\u5b58\u3001\u4fe1\u53f7\u91cf\u3001\u6d88\u606f\u961f\u5217\u7b49\u65b9\u6cd5\u3002\u6240\u4ee5\uff0c\u4e3a\u4e86\u9694\u79bb\uff0c\u6211\u4eec\u4e5f\u9700\u8981\u628aIPC\u7ed9\u9694\u79bb\u5f00\u6765\uff0c\u8fd9\u6837\uff0c\u53ea\u6709\u5728\u540c\u4e00\u4e2aNamespace\u4e0b\u7684\u8fdb\u7a0b\u624d\u80fd\u76f8\u4e92\u901a\u4fe1\u3002\u5982\u679c\u4f60\u719f\u6089IPC\u7684\u539f\u7406\u7684\u8bdd\uff0c\u4f60\u4f1a\u77e5\u9053\uff0cIPC\u9700\u8981\u6709\u4e00\u4e2a\u5168\u5c40\u7684ID\uff0c\u5373\u7136\u662f\u5168\u5c40\u7684\uff0c\u90a3\u4e48\u5c31\u610f\u5473\u7740\u6211\u4eec\u7684Namespace\u9700\u8981\u5bf9\u8fd9\u4e2aID\u9694\u79bb\uff0c\u4e0d\u80fd\u8ba9\u522b\u7684Namespace\u7684\u8fdb\u7a0b\u770b\u5230\u3002<\/p>\n
\u6587\u4ef6\u540d\uff1aipc.c<\/strong><\/p>\n\u8981\u542f\u52a8IPC\u9694\u79bb\uff0c\u6211\u4eec\u53ea\u9700\u8981\u5728\u8c03\u7528clone\u65f6\u52a0\u4e0aCLONE_NEWIPC\u53c2\u6570\u5c31\u53ef\u4ee5\u4e86\uff08\u89c1\u4e0b\u8ff0\u4ee3\u7801\u6807\u7ea2\u7684\u5730\u65b9<\/strong>\uff09<\/p>\n#define _GNU_SOURCE \r\n#include <sys\/types.h>\r\n#include <sys\/wait.h>\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n\r\n\/* \u5b9a\u4e49\u4e00\u4e2a\u7ed9 clone \u7528\u7684\u6808\uff0c\u6808\u5927\u5c0f1M *\/\r\n#define STACK_SIZE (1024 * 1024) \r\nstatic char container_stack[STACK_SIZE];\r\n\r\nchar* const container_args[] = {\r\n \"\/bin\/bash\",\r\n NULL\r\n};\r\n\r\n\/* \u4e0euts\u6709\u5173\u7684\u4ee3\u7801:\u6b64\u5904\u53ea\u6f14\u793a\u4e3b\u673a\u540d\u7684\u9694\u79bb *\/\r\nint container_main(void* arg) \r\n{ \r\n printf(\"Container - inside the container!\\n\"); \r\n sethostname(\"container\",10); \/* \u8bbe\u7f6ehostname *\/ \r\n execv(container_args[0], container_args); \r\n printf(\"Something's wrong!\\n\"); \r\n return 1; \r\n} \r\n\r\nint main() \r\n{ \r\n printf(\"Parent - start a container!\\n\"); \r\n int container_pid = clone(container_main, container_stack+STACK_SIZE, \r\n CLONE_NEWUTS | CLONE_NEWIPC | SIGCHLD, NULL); \/*\u65b0\u589eCLONE_NEWIPC\u5c31\u53ef\u4ee5\u4e86 *\/ \r\n waitpid(container_pid, NULL, 0); \r\n printf(\"Parent - container stopped!\\n\"); \r\n return 0; \r\n} <\/code><\/pre>\n\u9884\u5907\u9636\u6bb5\uff08\u5728\u5168\u5c40\u65b0\u5efaIPC\u961f\u5217\uff09\uff1a<\/strong><\/p>\n\u9996\u5148\uff0c\u6211\u4eec\u5148\u521b\u5efa\u4e00\u4e2aIPC\u7684Queue(\u5982\u4e0b\u6240\u793a\uff0c\u5168\u5c40\u7684Queue ID\u662f0)<\/p>\n
ipcmk\u521b\u5efa\u961f\u5217<\/p>\n
ipcrm\u5220\u9664\u961f\u5217<\/p>\n
ipcs\u67e5\u770b\u961f\u5217<\/p>\n
[egon@www ~]$ ipcs -q #\u67e5\u770b\u961f\u5217\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n[egon@www ~]$ ipcmk -Q #\u5728\u5168\u5c40\u521b\u5efa\u4e00\u4e2aipc\u7684\u961f\u5217\uff0c\u961f\u5217id\u4e3a0\r\nMessage queue id: 0\r\n[egon@www ~]$ ipcs -q #\u67e5\u770b\u521a\u521a\u65b0\u5efa\u7684\u5168\u5c40\u7684\u961f\u5217\u7684\u4fe1\u606f\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n0x0c076dce 0 egon 644 0 0 <\/code><\/pre>\n\u6211\u4eec\u6682\u4e14\u4e0d\u8fd0\u884c\u7f16\u8bd1\u7684CLONE_NEWIPC\u7684\u7a0b\u5e8fipc\uff0c\u8ba9\u6211\u4eec\u5148\u8fd0\u884c\u4e4b\u524d\u7f16\u8bd1\u7684uts\uff0c\u53d1\u73b0\u5728\u5b50\u8fdb\u7a0b\u4e2d\u8fd8\u662f\u80fd\u770b\u5230\u8fd9\u4e2a\u5168\u5c40\u7684IPC Queue\u3002<\/p>\n
[egon@www ~]$ ipcs -q #\u67e5\u770b\u5168\u5c40\u7684\u961f\u5217\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n0x0c076dce 0 egon 644 0 0 \r\n\r\n[egon@www ~]$ sudo .\/uts #\u8fdb\u5165\u65b0\u7684uts\u5bb9\u5668\r\nParent - start a container!\r\nContainer - inside the container!\r\n[root@container egon]# ipcs -q #\u5728uts\u5bb9\u5668\u4e0b\u53d1\u73b0\u4ecd\u7136\u80fd\u770b\u5230\u5168\u5c40\u7684IPC\u961f\u5217\uff0c\u8bc1\u660e\u6b64\u65f6\u6ca1\u6709\u5b9e\u73b0IPC\u9694\u79bb\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n0x0c076dce 0 egon 644 0 0 \r\n\r\n[root@container egon]# exit #\u9000\u51fauts\u5bb9\u5668\r\nexit\r\nParent - container stopped!\r\n[egon@www ~]$ <\/code><\/pre>\n\u6d4b\u8bd5\u5f00\u8f9f\u4e00\u4e2a\u65b0\u7684IPC\u540d\u79f0\u7a7a\u95f4\/\u5bb9\u5668container\uff0c\u9a8c\u8bc1IPC\u7684\u9694\u79bb\u6027:<\/strong><\/p>\n[egon@www ~]$ gcc -o ipc ipc.c #\u7f16\u8bd1\r\n[egon@www ~]$ ipcs -q #\u5728\u5168\u5c40\u67e5\u770bipc\u961f\u5217\uff0c\u80af\u5b9a\u53ef\u4ee5\u770b\u5230\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n0x0c076dce 0 egon 644 0 0 \r\n\r\n[egon@www ~]$ sudo .\/ipc #\u8fdb\u5165ipc\u5bb9\u5668\r\nParent - start a container!\r\nContainer - inside the container!\r\n[root@container egon]# ipcs -q #\u5728\u5bb9\u5668\u5185\u67e5\u770bipc\u961f\u5217\uff0c\u53d1\u73b0\u67e5\u770b\u4e0d\u5230\u5168\u5c40\u7684ipc\u961f\u5217\uff0c\u81ea\u5df1\u8fd9\u91cc\u7684ipc\u961f\u5217\u4e3a\u7a7a\uff0c\u9a8c\u8bc1\u4e86ipc\u7684\u9694\u79bb\u6027\r\n #\u540c\u7406\u5982\u679c\u5728\u8be5\u5bb9\u5668\u5185\u7528ipcmk -Q\u521b\u5efa\u7684\u961f\u5217\uff0c\u5728\u5168\u5c40\u4e5f\u65e0\u6cd5\u770b\u5230\uff0c\u8bfb\u8005\u53ef\u4ee5\u81ea\u884c\u6d4b\u8bd5\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages \r\n\r\n[root@container egon]# exit\r\nexit\r\nParent - container stopped!\r\n[egon@www ~]$ <\/code><\/pre>\n2.3 PID\u547d\u540d\u7a7a\u95f4\uff08\u7cfb\u7edf\u8c03\u7528CLONE_NEWPID\uff09<\/h2>\n
\u7a7a\u95f4\u5185\u7684PID \u662f\u72ec\u7acb\u5206\u914d\u7684\uff0c\u610f\u601d\u5c31\u662f\u547d\u540d\u7a7a\u95f4\u5185\u7684\u865a\u62df PID \u53ef\u80fd\u4f1a\u4e0e\u547d\u540d\u7a7a\u95f4\u5916\u7684 PID \u76f8\u51b2\u7a81\uff0c\u4e8e\u662f\u547d\u540d\u7a7a\u95f4\u5185\u7684 PID \u6620\u5c04\u5230\u547d\u540d\u7a7a\u95f4\u5916\u65f6\u4f1a\u4f7f\u7528\u53e6\u5916\u4e00\u4e2a PID\u3002\u6bd4\u5982\u8bf4\uff0c\u547d\u540d\u7a7a\u95f4\u5185\u7b2c\u4e00\u4e2a PID \u4e3a1\uff0c\u800c\u5728\u547d\u540d\u7a7a\u95f4\u5916\u5c31\u662f\u8be5 PID \u5df2\u88ab init \u8fdb\u7a0b\u6240\u4f7f\u7528\u3002<\/p>\n
\u6587\u4ef6\u540d\uff1apid.c<\/strong><\/p>\n\u57fa\u4e8eipc.c\u4fee\u6539\u800c\u6765\uff0c\u89c1\u6807\u7ea2\u90e8\u5206\uff0c\u5176\u4e2d\u53ea\u9700\u65b0\u589eCLONE_NEWPID\u5c31\u5b8c\u5168\u53ef\u5b9e\u73b0PID\u7684\u9694\u79bb,\u800c\u6b64\u5904\u6211\u4eec\u5373\u52a0\u4e86CLONE_NEWUTS\u53c8\u52a0\u4e86CLONE_NEWIPC,\u968f\u540e\u624d\u6dfb\u52a0\u4e86CLONE_NEWPID,\u4ee3\u8868\u7684\u610f\u601d\u662f\uff1a\u5728UTS\u548cIPC\u9694\u79bb\u7684\u57fa\u7840\u4e4b\u4e0a\u518d\u8fdb\u884cPID\u7684\u9694\u79bb\uff0c\u6b64\u65f6\u7684\u5bb9\u5668\u5df2\u7ecf\u8d8a\u6765\u8d8a\u63a5\u8fd1\u4e8e\u5728linux\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u65b0\u5efa\u4e00\u4e2a\u9694\u79bb\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e86\u3002<\/p>\n
#define _GNU_SOURCE \r\n#include <sys\/types.h>\r\n#include <sys\/wait.h>\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n\r\n\/* \u5b9a\u4e49\u4e00\u4e2a\u7ed9 clone \u7528\u7684\u6808\uff0c\u6808\u5927\u5c0f1M *\/\r\n#define STACK_SIZE (1024 * 1024) \r\nstatic char container_stack[STACK_SIZE];\r\n\r\nchar* const container_args[] = {\r\n \"\/bin\/bash\",\r\n NULL\r\n};\r\n\r\nint container_main(void* arg) \r\n{ \r\n printf(\"Container [%5d] - inside the container!\\n\",getpid()); \/* \u6b64\u5904\u7684getpid()\u662f\u4e3a\u4e86\u83b7\u53d6\u5bb9\u5668\u7684\u521d\u59cb\u8fdb\u7a0b(init)\u7684pid *\/\r\n sethostname(\"container\",10); \/* \u8bbe\u7f6ehostname *\/ \r\n execv(container_args[0], container_args); \r\n printf(\"Something's wrong!\\n\"); \r\n return 1; \r\n} \r\n\r\nint main() \r\n{ \r\n printf(\"Parent [%5d] - start a container!\\n\",getpid()); \/* \u6b64\u5904\u7684getpid()\u5219\u662f\u4e3a\u4e86\u83b7\u53d6\u7236\u8fdb\u7a0b\u7684pid *\/ \r\n int container_pid = clone(container_main, container_stack+STACK_SIZE, \r\n CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | SIGCHLD, NULL); \/*\u65b0\u589eCLONE_NEWPID\u5373\u53ef,\u6b64\u5904\u4ee3\u8868\u5728UTS\u548cIPC\u9694\u79bb\u7684\u57fa\u7840\u4e4b\u4e0a\u518d\u8fdb\u884cPID\u7684\u9694\u79bb\uff0c\u5176\u5b9e\u6211\u4eec\u5b8c\u5168\u53ef\u4ee5\u53ea\u52a0CLONE_NEWPID\u81ea\u5df1:\u8fd9\u6837\u7684\u8bdd\u5c31\u53ea\u4ee3\u8868\u9694\u79bbPID\u4e86 *\/ \r\n waitpid(container_pid, NULL, 0); \r\n printf(\"Parent - container stopped!\\n\"); \r\n return 0; \r\n}<\/code><\/pre>\n\u6d4b\u8bd5\u5f00\u8f9f\u4e00\u4e2a\u65b0\u7684PID\u540d\u79f0\u7a7a\u95f4\/\u5bb9\u5668container\uff0c\u9a8c\u8bc1PID\u7684\u9694\u79bb\u6027:<\/strong><\/p>\n[egon@www ~]$ gcc -o pid pid.c #\u7f16\u8bd1\r\n[egon@www ~]$ sudo .\/pid #\u8fdb\u5165\u4e00\u4e2a\u65b0\u7684\u5bb9\u5668\r\nParent [ 4520] - start a container!\r\nContainer [ 1] - inside the container!\r\n[root@container egon]# echo $$ #\u67e5\u770b\u8be5\u5bb9\u5668\u7684\u521d\u59cb\u7a0b\u5e8f\uff08init\uff09ID\u4e3a1\uff0c\u800c\u5168\u5c40\u7684init\u7a0b\u5e8f\u7684ID\u4e5f\u4e3a1\uff0c\u8bc1\u660e\u4e86\u4e8c\u8005\u7684\u9694\u79bb\u6027\r\n1\r\n[root@container egon]# hostname #\u56e0\u4e3a\u6211\u4eec\u5728pid.c\u6587\u4ef6\u4e2d\u52a0\u5165\u4e86CLONE_NEWUTS,\u6240\u4ee5\u6b64\u65f6\u7684\u4e3b\u673a\u540d\u4e5f\u662f\u9694\u79bb\u7684\uff0c\u770b\u5230\u7684\u662f\u81ea\u5df1\u7684\u4e3b\u673a\u540d\r\ncontainer\r\n[root@container egon]# ipcs -q #\u56e0\u4e3a\u6211\u4eec\u5728pid.c\u6587\u4ef6\u4e2d\u4e5f\u52a0\u5165\u4e86CLONE_NEWIPC\uff0c\u6240\u4ee5\u6b64\u65f6\u7684IPC\u4e5f\u662f\u9694\u79bb\u7684\uff0c\u770b\u4e0d\u5230\u5168\u5c40\u65b0\u5efa\u7684\u90a3\u4e2aIPC\u961f\u5217\r\n\r\n------ Message Queues --------\r\nkey msqid owner perms used-bytes messages <\/code><\/pre>\nps\uff1acentos7\u4e4b\u540e\u4f7f\u7528systemd\u4ee3\u66ffinit\uff0c\u6b64\u5904\u6211\u4eec\u8bf4\u7684\u521d\u59cb\u7a0b\u5e8f\u6307\u7684\u5c31\u662f\u8fd9\u4e8c\u8005\uff0c\u662f\u4e00\u4e2a\u610f\u601d<\/p>\n
![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n
\u8bf4\u660e<\/strong>\uff1a\u5728\u4f20\u7edf\u7684UNIX\u7cfb\u7edf\u4e2d\uff0cPID\u4e3a1\u7684\u8fdb\u7a0b\u662finit\uff0c\u5730\u4f4d\u975e\u5e38\u7279\u6b8a\u3002\u4ed6\u4f5c\u4e3a\u6240\u6709\u8fdb\u7a0b\u7684\u7236\u8fdb\u7a0b\uff0c\u6709\u5f88\u591a\u7279\u6743(\u6bd4\u5982\uff1a\u5c4f\u853d\u4fe1\u53f7\u7b49)\uff0c\u53e6\u5916\uff0c\u5176\u8fd8\u4f1a\u4e3a\u68c0\u67e5\u6240\u6709\u8fdb\u7a0b\u7684\u72b6\u6001\uff0c\u6211\u4eec\u77e5\u9053\uff0c\u5982\u679c\u67d0\u4e2a\u5b50\u8fdb\u7a0b\u8131\u79bb\u4e86\u7236\u8fdb\u7a0b(\u7236\u8fdb\u7a0b\u6ca1\u6709wait\u5b83)\uff0c\u90a3\u4e48init\u5c31\u4f1a\u8d1f\u8d23\u56de\u6536\u8d44\u6e90\u5e76\u7ed3\u675f\u8fd9\u4e2a\u5b50\u8fdb\u7a0b\u3002\u6240\u4ee5\uff0c\u8981\u505a\u5230\u8fdb\u7a0b\u7a7a\u95f4\u7684\u9694\u79bb\uff0c\u9996\u5148\u8981\u521b\u5efa\u51faPID\u4e3a1\u7684\u8fdb\u7a0b\uff0c\u6700\u597d\u5c31\u50cfchroot\u90a3\u6837\uff0c\u628a\u5b50\u8fdb\u7a0b\u7684PID\u5728\u5bb9\u5668\u5185\u53d8\u62101\u3002<\/p>\n\u4f46\u662f\uff0c\u6211\u4eec\u4f1a\u53d1\u73b0\uff0c\u5728\u5b50\u8fdb\u7a0b\u7684shell\u91cc\u8f93\u5165ps,top\u7b49\u547d\u4ee4\uff0c\u6211\u4eec\u8fd8\u662f\u53ef\u4ee5\u770b\u5f97\u5230\u6240\u6709\u8fdb\u7a0b\u3002\u8bf4\u660e\u5e76\u6ca1\u6709\u5b8c\u5168\u9694\u79bb\u3002\u8fd9\u662f\u56e0\u4e3a\uff0c\u50cfps, top\u8fd9\u4e9b\u547d\u4ee4\u4f1a\u53bb\u8bfb\/proc\u6587\u4ef6\u7cfb\u7edf\uff0c\u6240\u4ee5\uff0c\u56e0\u4e3a\/proc\u6587\u4ef6\u7cfb\u7edf\u5728\u7236\u8fdb\u7a0b\u548c\u5b50\u8fdb\u7a0b\u90fd\u662f\u4e00\u6837\u7684\uff0c\u6240\u4ee5\u8fd9\u4e9b\u547d\u4ee4\u663e\u793a\u7684\u4e1c\u897f\u90fd\u662f\u4e00\u6837\u7684\u3002<\/span><\/p>\n\u6240\u4ee5\uff0c\u6211\u4eec\u8fd8\u9700\u8981\u5bf9\u6587\u4ef6\u7cfb\u7edf\u8fdb\u884c\u9694\u79bb\uff0c\u8fd9\u5c31\u9700\u8981\u7528\u5230mount\u547d\u540d\u7a7a\u95f4\u4e86<\/p>\n
2.4 Mount\u547d\u540d\u7a7a\u95f4\uff08\u7cfb\u7edf\u8c03\u7528CLONE_NEWNS\uff09<\/h2>\n
\u8fdb\u7a0b\u8fd0\u884c\u65f6\u53ef\u4ee5\u5c06\u6302\u8f7d\u70b9\u4e0e\u7cfb\u7edf\u5206\u79bb\uff0c\u4f7f\u7528\u8fd9\u4e2a\u529f\u80fd\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u8fbe\u5230 chroot \u7684\u529f\u80fd\uff0c\u800c\u5728\u5b89\u5168\u6027\u65b9\u9762\u6bd4 chroot \u66f4\u9ad8\u3002<\/p>\n
\u6587\u4ef6\u540d\uff1afs.c<\/strong><\/p>\n#define _GNU_SOURCE \r\n#include <sys\/types.h>\r\n#include <sys\/wait.h>\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n\r\n\/* \u5b9a\u4e49\u4e00\u4e2a\u7ed9 clone \u7528\u7684\u6808\uff0c\u6808\u5927\u5c0f1M *\/\r\n#define STACK_SIZE (1024 * 1024) \r\nstatic char container_stack[STACK_SIZE];\r\n\r\nchar* const container_args[] = {\r\n \"\/bin\/bash\",\r\n NULL\r\n};\r\n\r\nint container_main(void* arg) \r\n{ \r\n printf(\"Container [%5d] - inside the container!\\n\", getpid()); \r\n sethostname(\"container\",10); \r\n \/* \u91cd\u65b0mount proc\u6587\u4ef6\u7cfb\u7edf\u5230 \/proc\u4e0b *\/ \r\n system(\"mount -t proc proc \/proc\"); \r\n execv(container_args[0], container_args); \r\n printf(\"Something's wrong!\\n\"); \r\n return 1; \r\n} \r\n\r\nint main() \r\n{ \r\n printf(\"Parent [%5d] - start a container!\\n\", getpid()); \r\n \/* \u542f\u7528Mount Namespace - \u589e\u52a0CLONE_NEWNS\u53c2\u6570 *\/ \r\n int container_pid = clone(container_main, container_stack+STACK_SIZE, \r\n CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL); \r\n waitpid(container_pid, NULL, 0); \r\n printf(\"Parent - container stopped!\\n\"); \r\n return 0; \r\n} <\/code><\/pre>\n\u6211\u4eec\u57fa\u4e8e\u4e0a\u6b21pid\u5bb9\u5668\uff0c\u5728\u6ca1\u6709mount\u9694\u79bb\u60c5\u51b5\u4e0b\u67e5\u770b\/proc\u3001ps aux\u3001top\u7b49\u4fe1\u606f<\/strong><\/p>\n[egon@www ~]$ sudo .\/pid\r\nParent [ 6231] - start a container!\r\nContainer [ 1] - inside the container!\r\n[root@container egon]# ls \/proc\/\r\n1 116 132 148 165 18 197 213 230 248 265 282 36 5005 57 63 73 83 938 diskstats locks sysrq-trigger\r\n10 117 133 149 166 180 198 214 231 249 266 283 37 51 58 64 731 84 94 dma mdstat sysvipc\r\n100 118 134 15 167 181 199 215 232 25 267 284 38 514 59 640 74 841 95 driver meminfo timer_list\r\n101 119 135 150 168 182 2 216 233 250 268 285 39 515 5939 641 745 85 957 execdomains misc timer_stats\r\n102 12 136 151 169 183 20 217 234 251 2682 29 3944 517 60 642 75 86 96 fb modules tty\r\n103 120 137 152 17 184 200 218 235 252 2684 293 3946 52 6047 643 76 863 960 filesystems mounts uptime\r\n104 121 138 153 170 185 201 219 236 253 269 294 3982 520 6048 644 77 864 97 fs mpt version\r\n105 122 139 154 171 186 202 22 237 254 27 295 40 53 6052 645 78 87 98 interrupts mtrr vmallocinfo\r\n106 123 14 155 172 187 203 220 238 255 270 296 41 532 6053 646 780 871 99 iomem net vmstat\r\n......\u7701\u7565n\u884c \r\n[root@container egon]# ps aux\r\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\r\nroot 1 0.0 0.6 44000 6548 ? Ss 10:24 0:02 \/usr\/lib\/systemd\/systemd --switched-root --system --deserialize 21\r\nroot 2 0.0 0.0 0 0 ? S 10:24 0:00 [kthreadd]\r\nroot 3 0.0 0.0 0 0 ? S 10:24 0:00 [ksoftirqd\/0]\r\nroot 5 0.0 0.0 0 0 ? S< 10:24 0:00 [kworker\/0:0H]\r\nroot 7 0.0 0.0 0 0 ? S 10:24 0:00 [migration\/0]\r\nroot 8 0.0 0.0 0 0 ? S 10:24 0:00 [rcu_bh]\r\nroot 9 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/0]\r\nroot 10 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/1]\r\nroot 11 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/2]\r\nroot 12 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/3]\r\nroot 13 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/4]\r\nroot 14 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/5]\r\nroot 15 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/6]\r\nroot 16 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/7]\r\nroot 17 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/8]\r\nroot 18 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/9]\r\nroot 19 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/10]\r\nroot 20 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/11]\r\nroot 21 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/12]\r\nroot 22 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/13]\r\nroot 23 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/14]\r\nroot 24 0.0 0.0 0 0 ? S 10:24 0:00 [rcuob\/15]\r\n......\u7701\u7565n\u884c<\/code><\/pre>\n\u521d\u6b21\u4e4b\u5916\u8fd8\u6709top\u547d\u4ee4\u8fd0\u884c\u7684\u622a\u56fe<\/p>\n
<\/div><\/p>\n
\u6d4b\u8bd5\u5f00\u8f9f\u4e00\u4e2a\u65b0\u7684MOUNT\u540d\u79f0\u7a7a\u95f4\/\u5bb9\u5668container\uff0c\u9a8c\u8bc1MOUNT\u7684\u9694\u79bb\u6027:<\/strong><\/p>\n[egon@www ~]$ gcc -o fs fs.c #\u7f16\u8bd1\r\n[egon@www ~]$ sudo .\/fs #\u8fdb\u5165mount\u5bb9\u5668\r\nParent [ 6554] - start a container!\r\nContainer [ 1] - inside the container!\r\n[root@container egon]# #\u6b64\u5904\u4fbf\u662f\u65b0\u7684\u5bb9\u5668\u4e86\r\n[root@container egon]# ls \/proc\/ #\u6d4f\u89c8\/proc\u5185\u5bb9\uff0c\u53d1\u73b0\u5c11\u4e86\u597d\u591a\r\n1 bus crypto execdomains iomem keys loadavg modules pagetypeinfo slabinfo sysrq-trigger uptime\r\n13 cgroups devices fb ioports key-users locks mounts partitions softirqs sysvipc version\r\nacpi cmdline diskstats filesystems irq kmsg mdstat mpt sched_debug stat timer_list vmallocinfo\r\nasound consoles dma fs kallsyms kpagecount meminfo mtrr scsi swaps timer_stats vmstat\r\nbuddyinfo cpuinfo driver interrupts kcore kpageflags misc net self sys tty zoneinfo\r\n[root@container egon]# ps aux\u3000\uff03\u67e5\u770b\u8fdb\u7a0b\u4fe1\u606f\u53d1\u73b0\u53ea\u80fd\u4e24\u4e2a\u8fdb\u7a0b:\u4e00\u4e2a\u521d\u59cb\u8fdb\u7a0bid\u4e3a1,\u53e6\u5916\u4e00\u4e2a\u5c31\u7b97ps\u547d\u4ee4\u672c\u8eab\r\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\r\nroot 1 0.0 0.2 115384 2092 pts\/0 S 11:35 0:00 \/bin\/bash\r\nroot 14 0.0 0.1 139500 1632 pts\/0 R+ 11:35 0:00 ps aux<\/code><\/pre>\n\u9664\u6b64\u4e4b\u5916\u6267\u884ctop\u547d\u4ee4\uff0c\u53d1\u73b0\u5305\u62ectop\u547d\u4ee4\u672c\u8eab\uff0c\u4e5f\u662f\u53ea\u8981\u4e24\u4e2a\u8fdb\u7a0b<\/p>\n
<\/div><\/p>\n
\u9700\u8981\u5f3a\u8c03\u7684\u4e00\u70b9\u662f\uff1a\u5728\u901a\u8fc7CLONE_NEWNS\u521b\u5efamount namespace\u540e\uff0c\u7236\u8fdb\u7a0b\u4f1a\u628a\u81ea\u5df1\u7684\u6587\u4ef6\u7ed3\u6784\u590d\u5236\u7ed9\u5b50\u8fdb\u7a0b\u4e2d\u3002\u800c\u5b50\u8fdb\u7a0b\u4e2d\u65b0\u7684namespace\u4e2d\u7684\u6240\u6709mount\u64cd\u4f5c\u90fd\u53ea\u5f71\u54cd\u81ea\u8eab\u7684\u6587\u4ef6\u7cfb\u7edf\uff0c\u800c\u4e0d\u5bf9\u5916\u754c\u4ea7\u751f\u4efb\u4f55\u5f71\u54cd\u3002\u8fd9\u6837\u53ef\u4ee5\u505a\u5230\u6bd4\u8f83\u4e25\u683c\u5730\u9694\u79bb\u3002<\/p>\n
\u5e76\u4e14\u6211\u4eec\u5b8c\u5168\u53ef\u4ee5\u6839\u636e\u81ea\u5df1\u7684\u9700\u8981\u6765\u4e3a\u5bb9\u5668\u5b9a\u5236mount\u9009\u9879\u3002<\/p>\n
Docker\u7684 Mount Namespace<\/strong><\/p>\n\u4e0b\u9762\u5c31\u8ba9\u6211\u4eec\u6765\u6a21\u62df\u5236\u4f5c\u4e00\u4e2a\u955c\u50cf\uff0c\u6a21\u4effDocker\u7684Mount Namespace<\/p>\n
\u6b65\u9aa4\u4e00\uff1a<\/strong><\/p>\n\u5bf9\u4e8echroot\u6765\u8bf4\uff0cchroot \u76ee\u5f55\uff0c\u7136\u540e\u5207\u5165\u5230\u76ee\u5f55\u5bf9\u5e94\u7684\u540d\u79f0\u7a7a\u95f4\u4e0b\uff0c\u540c\u7406\uff0c\u6211\u4eec\u4e5f\u9700\u8981\u4e3a\u6211\u4eec\u7684mount namespace\u63d0\u4f9b\u4e00\u4e2a\u76ee\u5f55\uff08\u5373\u955c\u50cf\uff09\uff0c\u4e8e\u662f\u6211\u4eec\u5728\/home\/egon\u4e0b\u65b0\u5efa\u76ee\u5f55rootfs<\/p>
![\"\"](\"https:\/\/egonlin.com\/wp-content\/uploads\/2022\/08\/15.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/egonlin.com\/wp-content\/uploads\/2022\/08\/9.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/egonlin.com\/wp-content\/uploads\/2022\/08\/10.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/egonlin.com\/wp-content\/uploads\/2022\/08\/11.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/egonlin.com\/wp-content\/uploads\/2022\/08\/12.png\")
<\/div><\/p>\n