Why Does Calling `setns` from Go Return `EINVAL` for Mnt Namespace?

Calling setns from Go Returns EINVAL for mnt Namespace

Problem Description

In Go code, attempting to enter the mnt namespace using the syscall.RawSyscall function to call the setns system call returns an EINVAL error. This issue persists despite a correct setup and a working C implementation that successfully enters the namespace.

Cause and Solution

The root cause of the issue lies in the multi-threaded nature of Go. The setns system call must be executed from a single-threaded context for it to succeed. Since Go applications are multi-threaded by default, the setns call must be made before the Go runtime threads start.

To address this, the "cgo constructor trick" can be employed. This technique allows C code to be executed before the Go runtime begins. By using the __attribute__((constructor)) macro in C code, a function can be decorated to run in a single-threaded C context prior to Go's initialization.

Modified Go Code

The following modified Go code uses the constructor trick to solve the issue:

<code class="go">/*
#include <sched.h>
#include <stdio.h>
#include <fcntl.h>

__attribute__((constructor)) void enter_namespace(void) {
   setns(open("/proc/<PID>/ns/mnt", O_RDONLY, 0644), 0);
}
*/
import "C"

... rest of file is unchanged ...</code>

By leveraging the cgo constructor trick, the Go application can now successfully enter the mnt namespace using the setns system call.

The above is the detailed content of Why Does Calling `setns` from Go Return `EINVAL` for Mnt Namespace?. For more information, please follow other related articles on the PHP Chinese website!