Namespace in Linux

in namespace •  7 years ago 

Linux Namesapce

Lightweight process virtualization technology that provides an isolated environment within the same system, using each separate, independent space.
Unlike the hypervisor that virtualizes hardware, it is a technology that operates on the same OS but distinguishes itself from the execution environment itself.
Technically, it uses the unshare() and setns() system calls, and implement the six constant flags described below by passing them to the clone (), unshare (), and setns () system calls.

namespacedescribe
mntCLONE_NEWNS
utsCLONE_NEWUTS
ipcCLONE_NEWIPC
pidCLONE_NEWPID
usrCLONE_NEWUSER
netCLONE_NEWNET

1.Mount namespace

  • Started at 2002 kernel 2.4.19
  • It specify that the process and its child processes use different file system mount points
    By default, process share the same namespace, so any process is aware that the file system is mounted or unmounted. However, if the CLONE_NEWNS flag is passed when creating a process through the clone () system call, the newly created process gets a copy of the mount tree that the calling process has.

This copy allows the newly created process to make changes, such as mounting or unmounting the file system, without affecting the parent process.

At the time this copy was created, the mount and unmount of the default namespace for the file system is visible to all processes. And changes in each process-specific mount namespace are not known outside the process's namespace.

1-1. Exam : MNT Namespace

Unmount the namespace before mounting.

[root@localhost/]# mkdir /tmp/mount_ns
[root@localhost/]#
[root@localhost/]# unshare -m /bin/bash

* unshare : How to separate namespaces
*            -m : Mount Namespace

Use the readlink command to check the mount information of the current process.

[root@localhost/] # readlink /proc/$$/ns/mnt
mnt: [4026532190]
[root@localhost/] #

* readlink : follows the origin of the symbolic link.
*             $$ : Process ID of the current bash shell
*     /proc/ : Various real-time information and files stored in the system.
      (In Linux, the virtual file system is located in the virtual reality storage memory.)

Check the tmpfs file system for file system information.

[root@localhost/] # mount -n -t tmpfs tmpfs / tmp / mount_ns
[root@localhost/] #
[root@localhost/] # df -h | grep mount_ns
tmpfs 1.9G 0 1.9G 0% / tmp / mount_ns

* mount -n option : setting for /etc/mtab (/etc/mtab : mount information of current system)
* mount -t tmpfs Option : Verify file system mount
* df                                            : Display file system
* df -h                                       : human readable option

Please check the file system information further.

[root@localhost/] # cat /proc/mounts | grep mount_ns
tmpfs/tmp/mount_ns tmpfs rw, seclabel, relatime 0 0
[root@localhost/] #

Check again.
Separate mounted file systems are invisible.

[root@localhost~] #
[root@localhost~] # readlink /proc/$$/ns/mnt
mnt: [4026531840]
[root@localhost~] # cat/proc/mounts | grep mount_ns
[root@localhost~] # df -h | grep mount_ns
[root@localhost~] #

2. UTS namespace

  • Unix Timesharing Namespace
  • The host's identifier is used to maintain the host name and domain name.
  • Data functions for most applications
  • Using the -u option to the unshare command

2-1. Exam : UTS namespace


First, let's check the hostname of the first session.

[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]#

Then use the unshare -u command to split the UTS namespace.
After partitioning, make sure that the hostname has changed after setting the new hostname.

[root@localhost ~]# unshare -u /bin/bash
[root@localhost ~]# hostname uts-namespace
[root@localhost ~]#
[root@localhost ~]# hostname
uts-namespace
[root@localhost ~]# cat /proc/sys/kernel/hostname
uts-namespace
[root@localhost ~]#

If you open a new session again and check the hostname, you can see that the hostname in the namespace you just separated is not visible.

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]#

3. IPC namespace

  • Provides the ability to exchange inter-process data and synchronize work between processes and threads
  • Provides access controls (primitives) for resources such as semaphores, file locking, and mutexes.
  • Need to separate actual process from container

4. PID namespace

  • Manage by dividing process ID
  • Independent addition of PID 1 which only the init process can have
  • Not only the init process but also several processes can run without PID conflict on the same OS

5. USR namespace

  • Allow processes to have different user and group IDs between namespace and default namespace
  • introduced in kernel v3.8 and not yet supported by many systems
  • Processes with unauthorized IDs can be run as root in the container they create

6. NET namespace

  • Isolate networking resources such as network devices, addresses, routes and firewall rules
  • Effectively create a logical copy of the network stack, allowing multiple namespaces to serve multiple services on the same port
  • It can be implemented by using iproute2 package etc.

6-1. Exam : NET namespace

You can see the lo and enp0s3 interfaces by querying the current interface using the ip command.

[root@localhost ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
            ...(skip)
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
            ...(skip)
[root@localhost ~]#

The path from the root network namespace can be seen below.

[root@localhost ~]#
[root@localhost ~]# ip r s
default via 10.0.2.2 dev enp0s3 proto static metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
            ...(skip)
[root@localhost ~]#

Now create two new network namespaces.

[root@localhost ~]#
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns add ns2
[root@localhost ~]#
[root@localhost ~]# ip netns
ns2
ns1
[root@localhost ~]#

It then launches a new network command within the new namespace.
Within the new namespace network, you can see that there is only one loopback interface.

[root@localhost ~]# ip netns exec ns1 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@localhost ~]#

Further investigation

  • kernel/nsproxy.c analysis

Reference

namespace linux container
7 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!