A small library to enable go programs to join a new mount namespace, designed for helping get the Kubernetes control plane (kubelet and the container runtime) into a separate mount namespace.
There are benefits to hiding all of Kubernetes' mount points from the host OS, including cleanliness, safety from inspection, and reducing the load on system processes like systemd that may need to interact with all mount in the default namespace.
Include this library in your main.go:
import "github.com/containers/kubensmnt"
This will cause a C constructor function to run before the Go runtime fully initializes which will do the following:
- If
$KUBENSMNT
is not set in the environment, do nothing. - If
$KUBENSMNT
is set in the environment, and it points at a valid path that is a bind-mount to a mount namespace, join that mount namespace.- If there is an error finding the bindmount path or joining the namespace,
the error is recorded and can be retrieved via the
Status
call.
- If there is an error finding the bindmount path or joining the namespace,
the error is recorded and can be retrieved via the
Inside the Go code, you can then check what happened during init and take actions accordingly:
func main() {
path, err := kubensmnt.Status()
if err != nil {
panic(err)
}
if path == "" {
fmt.Println("No mount namespace was configured; no action was taken")
} else {
fmt.Printf("Successfully joined the namespace bound to %q\n", path)
}
// Go on to do more important things...
}
See the utils/README.md for systemd services, scripts, and installation instructions for running Kubernetes in a separate mount namespace, with or without building against this library.
See test/README.md