Ajinkya Singh

Posted on Oct 10

Mount Namespace Practice Guide

#container #go #linux #programming

🚀 I'm Building My Own Container Runtime!

This is part of a complete series where I'm building Conti - a container runtime from scratch. Check it out on GitHub!

About This Series:

I'm sharing everything I learn while building my own container runtime

Most concepts come from videos, documentation, and LLM-assisted learning (for educational purposes)

Focus: Understanding through practice - raw Linux commands and practical implementation

Important: When building your own container, DON'T copy code from sources - it kills the fun! Write it yourself, break things, debug, and learn.

Why Build Your Own?

Deep understanding of how containers really work

Master low-level Linux concepts

Learn by doing, not just reading

It's incredibly fun when things finally click!

🎯 Overview

Practice creating isolated filesystem views using mount namespaces with a simple bookstore/cafe scenario.

🔍 What is Pivot Root?

Pivot root changes the root filesystem (/) for a process and its children, providing complete filesystem isolation.

How It Works

BEFORE PIVOT ROOT:
┌─────────────────────────┐
│  System Root (/)        │
│  ├── home/              │
│  ├── var/               │
│  ├── bookstore/         │ ← Target directory
│  │   ├── books/         │
│  │   ├── checkout/      │
│  │   └── old_root/      │ (empty)
│  └── cafe/              │
└─────────────────────────┘

AFTER PIVOT ROOT (from bookstore):
┌─────────────────────────┐
│  New Root (/)           │
│  ├── books/             │ ← Bookstore content
│  ├── checkout/          │
│  └── old_root/          │ ← Old system root moved here
│      ├── home/          │
│      ├── var/           │
│      └── cafe/          │
└─────────────────────────┘

Key Requirements

✓ Target directory must be a mount point

✓ Needs a directory to move old root (e.g., old_root/)

✓ Must be run in a mount namespace (or as init process)

📋 Quick Setup Exercise

Scenario

Create two isolated environments:

Bookstore zone with its own resources
Cafe zone with its own resources

🚀 Practice Steps

1️⃣ Initial Setup

# Create directory structures
mkdir -p bookstore/{books,checkout,lounge,old_root}
mkdir -p cafe/{menu,kitchen,seating,old_root}

# Add sample files
echo "Fiction novels" > bookstore/books/inventory.txt
echo "Coffee menu" > cafe/menu/drinks.txt

2️⃣ Create First Namespace (Bookstore)

# Open terminal 1
sudo unshare -m -p --mount-proc /bin/bash

# Make it a mount point
sudo mount --bind bookstore bookstore

# Change root
cd bookstore
sudo pivot_root . old_root

# Verify isolation
ls /  # Should only show: books, checkout, lounge, old_root

3️⃣ Create Second Namespace (Cafe)

# Open terminal 2
sudo unshare -m -p --mount-proc /bin/bash

# Make it a mount point
sudo mount --bind cafe cafe

# Change root
cd cafe
sudo pivot_root . old_root

# Verify isolation
ls /  # Should only show: menu, kitchen, seating, old_root

4. Test Isolation

# In bookstore namespace
cd /
cat books/inventory.txt  # ✓ Works
cat menu/drinks.txt      # ✗ Doesn't exist

# In cafe namespace
cd /
cat menu/drinks.txt      # ✓ Works
cat books/inventory.txt  # ✗ Doesn't exist

Key Commands

Command	Purpose
`unshare -m -p --mount-proc /bin/bash`	Create isolated namespace
`mount --bind dir dir`	Make directory a mount point
`pivot_root . old_root`	Change root directory
`lsns -t mnt`	List mount namespaces

Quick Verification

# Check you're in a namespace
lsns -t mnt -t pid

# Verify mount point
df -a | grep bookstore

# Check current root
pwd  # Should show /

DEV Community