Learned A New Linux Command Today

Try it:  sudo findmnt

It’s a more user-friendly way to display filesystem mount points on the current running system.

The filesystem point of view of objects is one of the greatest inventions of the UNIX architecture. Every physical device is presented as a filessytem object, and can be passed commands via it’s device name. Many newer virtual devices (eg. cgroups, securityfs, debugfs) make driver statistics and configuration options available via virtual files inside virtual directories presented by the associated driver. You can tweak the configs by writing to the virtual filesystem. Neat.

Making everything visible in the filesystem, then virtualizing the filesystem via adjustable cgroup namespaces has really changed the security game, but I suspect the best features are yet to come. So far, mostly only LXC, LXD and Docker are using cgroups to isolate container processes. But cgroups make so much MORE possible.

I have yet to play with LXC combined with the “host” network space. In this mode, the container allows containers to access the regular system IP interface, but everything else is isolated – users, groups, processes, vcpus, memory, disk. That would let me run each daemon in an isolated environment, ignorant of the others, but it could still communicate with the other processes via the shared localhost IP interface.

I’d have to do some figure out some mount-fu to get the same shared directory mounted on both the dovecot imap4 server and the postfix master server, so postfix SASL authentication for SMTP users would continue to work. Or figure out a different SASL solution that doesn’t require dovecot access.

Or just install dovecot in the same smtp container as amavis, spamassassin, clamd. I mean, it’s still more isolated than the current implementation, Right now, they’re all on one host in a single namespace anyway, along with the web, fpm, jabber, openvpn, and a few other services. At least isolating the all the email daemons in one namespace would keep them separate from all of the other unrelated services.

root@whistl:/var/log# findmnt
TARGET SOURCE FSTYPE OPTIONS / /dev/xvda1 ext4 rw,relatime,discard,data=ordered ├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime │ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime │ ├─/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,mode=755 │ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd │ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory │ │ ├─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids │ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct │ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio │ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer │ │ ├─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio │ │ ├─/sys/fs/cgroup/hugetlb cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb │ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices │ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset │ │ └─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event │ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime │ ├─/sys/kernel/debug debugfs debugfs rw,relatime │ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime ├─/proc proc proc rw,nosuid,nodev,noexec,relatime │ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct ├─/dev udev devtmpfs rw,nosuid,relatime,size=1015348k,nr_inodes=253837,mode=755 │ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 │ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev │ ├─/dev/mqueue mqueue mqueue rw,relatime │ └─/dev/hugepages hugetlbfs hugetlbfs rw,relatime ├─/run tmpfs tmpfs rw,nosuid,noexec,relatime,size=204672k,mode=755 │ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k │ └─/run/user/1001 tmpfs tmpfs rw,nosuid,nodev,relatime,size=204672k,mode=700,uid=1001,gid=1001 ├─/snap/core/4917 /dev/loop0 squashfs ro,nodev,relatime ├─/snap/core/5145 /dev/loop1 squashfs ro,nodev,relatime ├─/snap/core/5328 /dev/loop2 squashfs ro,nodev,relatime ├─/snap/amazon-ssm-agent/295 /dev/loop3 squashfs ro,nodev,relatime ├─/snap/amazon-ssm-agent/495 /dev/loop4 squashfs ro,nodev,relatime └─/var/lib/lxcfs lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other

One thought on “Learned A New Linux Command Today

Comments are closed.