Create new process namespace with existing mount namespace

Question

I'm having trouble figuring out how to create a new process namespace once I exit from the one created by unshare. So, for example, I have the following.

unshare -f --mount-proc --mount=/containers/1/ns/mnt --pid=/containers/1/ns/pid

And in another terminal, I enter this namespace.

nsenter --mount=/containers/1/ns/mnt --pid=/containers/1/ns/pid

Once I exit from the shell started by unshare, I can no longer re-enter.

nsenter: fork failed: Cannot allocate memory

I got the following idea from this medium post. But this will create a new process namespace each time, which isn't what I want.

nsenter --mount=/containers/1/ns/mnt unshare -f --mount-proc --pid

I can't get it to work with the pid file and don't understand what the problem is.

nsenter --mount=/containers/1/ns/mnt unshare -f --mount-proc --pid=/containers/1/ns/pid
unshare: cannot stat /proc/11379/ns/mnt: No such file or directory

I tried running nsenter from within the shell started by unshare, but I get the following.

nsenter: reassociate to namespace 'ns/mnt' failed: Invalid argument

Finally, I found a solution that I believe does what I want, but it's awkward and requires creating two processes since the first one is not in the right mount namespace.

# Terminal 1
unshare -f --mount-proc --pid=/containers/1/ns/pid
# Terminal 2
nsenter --mount=/containers/1/ns/mnt --pid=/containers/1/ns/pid unshare -f --mount-proc

I could start all over once I exit the original process namespace and re-run my script to set everything up in the mount namespace, but I would think there would be way to do this without completely starting over each time.

Answer 1

I finally came up with the following. The trick is that you have to sandwich entering the mount namespace in-between entering the process namespace and mounting proc. The --mount-proc flag implies a new mount namespace, and apparently you can't enter an existing mount namespace once you've already created one with unshare. This is the reassociate error message.

# Terminal 1
unshare --pid=/containers/1/ns/pid -f nsenter --mount=/containers/1/ns/mnt unshare --mount-proc
# Terminal 2
nsenter --pid=/containers/1/ns/pid --mount=/containers/1/ns/mnt unshare --mount-proc

One disadvantage of doing it this way is that the shells in terminals 1 and 2 are now in separate mount namespaces, so even though they share existing mounts, any future changes in one will not be seen by the other. However, I've realized it doesn't make sense to do this anyway. Since the mount namespace doesn't persist through reboot, I may as well just re-run my scripts, rather than go to all this trouble.