通过unshare -n -r -m 可以创建一个新的mount namespace,在这个新mount namespace,可以执行mount —bind操作(即使unshare之前无法执行mount —bind)。

    unshare -n -r -m 解释:
    -r map current user to root
    -n unshare network namespace
    -m unshare mounts namespace

    在一个新mount namespace,拥有完整权限, 可以执行 mount —bind /home/admin/test1 /home/admin/test2。

    但是还是无法mount proc: mount -t proc proc /home/admin/test1
    https://github.com/opencontainers/runc/issues/1658#issuecomment-375996344

    • If there’s no /proc visible, you cannot mount a new one: the logic is reverse: mnt_already_visible() requires that there is at least one fully visible procfs.

    关于MNT_LOCKED:

    • You cannot umount a mount marked as locked (MNT_LOCKED). A mount is marked as locked by the kernel if it is created as part of the creation of a less privileged (CL_UNPRIVILEGED) new mount namespace.
    • Similarly, MNT_LOCKED is checked for pivot_root and for moving a mountpoint.