Hi guys, I am confused about how containers work in Linux, especially how chrooting works and about how /proc filesystems are mounted.
So please feel to migrate this question to another forum if this is not the right one.
Now, to business.
Okay Dockers can be confusing to the uninitiated especially when everyone thinks that they are just lightweight VMs. A good talk on youtube helped me get a clearer picture. It is "
Build your own container from scratch".
It showed a lot of useful things namespace creation, but where I really got confused was when the virtual filesystem /proc had to be mounted to a separate directory.
I have am completely confused about how this works the way it does.
The part that confused was
this in the video.
Questions are as follows:
- Can't ps be namespaced? As in it will by default show the process in the current namespace from which it can be invoked from?
- When we mount /proc into another new rootfs are we creating a new /proc for the namespace or are we creating a new /proc for that namespace?
- I don't have much idea about Linux virtual filesystems, but I believe it is a way for the kernel to communicate information to the user space. If that is correct, then does that mean that when we have a new /proc mounted the kernel is now writing out to two different /proc directories? I am really confused with this.
- I have used chroot to get into a system for repair purposes but I have not completely understood most of it. Take for instance when I mount the /proc from my LiveCD into a broken OS, that is just mapping my existing /proc into the broken OS, it does not create a new /proc AFAIK. Does that have any similarity to what is shown on the video here, or are we creating a new /proc. Which does not make sense since container processes are also can be viewed from the host.
Please let me know if any further information is required from my side.