2

I have read some tutorials of how to mount a volume in container and run the script on host/node directly. These are the examples given.

DeamonSet pod spec

      hostPID: true
      nodeSelector:
        cloud.google.com/gke-local-ssd: "true"
      volumes:
      - name: setup-script
        configMap:
          name: local-ssds-setup
      - name: host-mount
        hostPath:
          path: /tmp/setup
      initContainers:
      - name: local-ssds-init
        image: marketplace.gcr.io/google/ubuntu1804
        securityContext:
          privileged: true
        volumeMounts:
        - name: setup-script
          mountPath: /tmp
        - name: host-mount
          mountPath: /host
        command:
          - /bin/bash
          - -c
          - |
            set -e
            set -x

            # Copy setup script to the host
            cp /tmp/setup.sh /host

            # Copy wait script to the host 
            cp /tmp/wait.sh /host

            # Wait for updates to complete
            /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/setup/wait.sh

            # Give execute priv to script
            /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/setup/setup.sh

            # Wait for Node updates to complete
            /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/setup/wait.sh

            # If the /tmp folder is mounted on the host then it can run the script
            /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/setup/setup.sh
      containers:
      - image: "gcr.io/google-containers/pause:2.0"
        name: pause

(There is a configmap for composing the .sh files. I just skip that)

What does "/usr/bin/nsenter -m/proc/1/ns/mnt" mean? Is this a command to run something on host? what is "/proc/1/ns/mnt" ?

Steve
  • 175
  • 1
  • 3
  • 14

1 Answers1

2

Lets start from the namepaces to understand this in detail :

Namespaces in container helps to isolate resources among the process. Namespaces controls the resources from the kernal and allocate to the process. This provides a great isolation among different containers that may run in a system.

Having said that, it will also make things complicated with these access restrictions to the namespaces. so comes the nsenter command , which will give the conatiners access to the namespaces. something similar to the sudo command. .This command can give us access to mount, UTS, IPC, Network, PID,user,cgroup, and time namespaces.

the -m in your example is --mount which will access to the mount namespace specified by that file.

Vineesh Vijayan
  • 570
  • 4
  • 15
  • So what does this /proc/1/ns/mnt stand for? I tried to login my container and look at this path. Have no idea what it is. What's the point of mounting it? – Steve Mar 24 '22 at 03:42
  • 1
    it is not to mount , but to get access to the namespace of that partucular process. PID 1 is allocated to the very first process that start when you start your OS. Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace .ns stands for namespace . /proc/[pid]/ns/mnt is is a handle for the mount namespace of the process. hope this is clear – Vineesh Vijayan Mar 24 '22 at 04:38
  • refer : https://man7.org/linux/man-pages/man1/nsenter.1.html and https://man7.org/linux/man-pages/man7/namespaces.7.html – Vineesh Vijayan Mar 24 '22 at 04:40
  • 1
    ok. So in short, this command, /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/setup/setup.sh, can allow us to run the setup.sh on the node/host instead of inside the container? – Steve Mar 24 '22 at 07:56
  • yes , to run the process in the same isolation context as the process with PID – Vineesh Vijayan Mar 24 '22 at 08:22
  • so is there any trick done behind so that we can run a command in a container which actually affect the host? I assume by default things in container should be isolated from host? – Steve Mar 24 '22 at 16:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/243295/discussion-between-steve-and-vineesh-vijayan). – Steve Mar 24 '22 at 16:35