I want to build a container that quarantines files, but I don't want to use chroot or pri_root to isolate the root directory, here's what I tried: enter image description here The first parameter is the file directory I want to isolate, and the second parameter is my test code.
In the test code, I created a new folder under $1, and then slept for 600 seconds to give me enough time to operate, at this time I opened a new shell terminal, and used nsenter -t [PID] -m /bin/bash, in the newly opened shell, I returned to the root directory, cd to the original directory, and found that the original directory was filled with a complete file system, as shown in the figure enter image description here I can't find the new folder in this directory either, which means that the --mount-proc parameter means that the filesystem will be mounted here, and since the pid namespace is not started, all processes can be seen. While it's true that other processes can't see the activity in that directory, the activity in the namespace also seems difficult to do.
So, how do I isolate the namespace externally and perform file operations internally?