Successfully reported this slideshow.
Namespaces in Linux

Ľubomír Rintel
GoodData Q1 off-site Harrachov 2014
UNIX processes
●

Virtualization
–
–

●

Virtual CPU and memory
Consistently accessible devices

Shared resources
–

Runti...
What about threads?
Sharing more
●

Sharing resources and state
–

Address space

–

Signal handlers

–

Open file handles

–

CWD, umask(), ....
Linux processes
●

Threads are processes

●

Process: own resources & state

●

Thread: shared resources & state
pid_t pid...
...and what about containers?
Containers
●

Virtualization

●

Less sharing

●

More separation

Sharing is not caring.
Your mother was wrong!
Namespaces
●

Containers are to processes what processes are
to threads
pid_t pid = clone (<what_to_share>);
CLONE_NEWUTS
...
UTS namespace
●

CLONE_NEWUTS

●

CONFIG_UTS_NS since Linux 2.6.19

●

needs CAP_SYS_ADMIN

●

hostname

●

domainname
SysV IPC namespace
●

CLONE_NEWIPC

●

CONFIG_IPC_NS since 2.6.19

●

Obsolete System V UNIX IPC mechanisms:

●

semaphore...
PID namespace
●

CLONE_NEWPID

●

CONFIG_PID_NS since Linux 2.6.24

●

●

a different PID visible from within namespace
th...
Network namespace
●

CLONE_NEWNET

●

CONFIG_NET_NS since Linux 2.6.29

●

separate network stack
–
–

nftables/netfilter ...
Mount namespace
●

CLONE_NEWNS

●

First namespace, since 2.4.19

●

/proc/<pid>/mounts instead of /proc/mounts

●

In Fed...
User namespace
●

CLONE_NEWUSER

●

CONFIG_USER_NS since 2.6.23

●

Unprivileged since 3.8, still disabled by default

●

...
LXC: Lightweight containers
●

Container management toolset

●

Create namespaces

●

Configure networking

●

Resource ma...
Docker
systemd-nspawn
●

●

Quick way to boot a container
Can be run from a service unit in a separate
cgroup
Future
●

CONFIG_USER_NS=y by default

●

Userspace for multiple UIDs (ranges) per user

●

Syslog namespace
Questions?
What else?
●

Auditing & SELinux

●

Checkpoint & Restore in userspace

●

fakeroot
Further reading
●

●

●

Configuring network namespaces with iproute2's
ip netns:
http://blog.scottlowe.org/2013/09/04/int...
Upcoming SlideShare
Loading in …5
×

Namespaces in Linux

3,169 views

Published on

Introduction to Linux namespaces, containers.

Published in: Technology
  • Be the first to comment

Namespaces in Linux

  1. 1. Namespaces in Linux Ľubomír Rintel GoodData Q1 off-site Harrachov 2014
  2. 2. UNIX processes ● Virtualization – – ● Virtual CPU and memory Consistently accessible devices Shared resources – Runtime configuration – Communication channels – Filesystem – Privileges, credentials pid_t pid = fork (); if (pid) { <parent> } else { <child> }
  3. 3. What about threads?
  4. 4. Sharing more ● Sharing resources and state – Address space – Signal handlers – Open file handles – CWD, umask(), ...
  5. 5. Linux processes ● Threads are processes ● Process: own resources & state ● Thread: shared resources & state pid_t pid = clone (<what_to_share>); CLONE_VM Address space CLONE_FILES Open files CLONE_FS CWD, umask(), ... ... SEE ALSO: unshare(2)
  6. 6. ...and what about containers?
  7. 7. Containers ● Virtualization ● Less sharing ● More separation Sharing is not caring. Your mother was wrong!
  8. 8. Namespaces ● Containers are to processes what processes are to threads pid_t pid = clone (<what_to_share>); CLONE_NEWUTS Hostname, domainname CLONE_NEWIPC SysV IPC objects CLONE_NEWPID Process IDs CLONE_NEWNET Network configuration CLONE_NEWNS File system mounts CLONE_NEWUSER User and Group IDs SEE ALSO: setns(2)
  9. 9. UTS namespace ● CLONE_NEWUTS ● CONFIG_UTS_NS since Linux 2.6.19 ● needs CAP_SYS_ADMIN ● hostname ● domainname
  10. 10. SysV IPC namespace ● CLONE_NEWIPC ● CONFIG_IPC_NS since 2.6.19 ● Obsolete System V UNIX IPC mechanisms: ● semaphores ● shared memory ● message queues
  11. 11. PID namespace ● CLONE_NEWPID ● CONFIG_PID_NS since Linux 2.6.24 ● ● a different PID visible from within namespace than from outside new PID 1
  12. 12. Network namespace ● CLONE_NEWNET ● CONFIG_NET_NS since Linux 2.6.29 ● separate network stack – – nftables/netfilter rules – ● network addresses loopback interface for namespace veth interface (CONFIG_VETH), ip netns
  13. 13. Mount namespace ● CLONE_NEWNS ● First namespace, since 2.4.19 ● /proc/<pid>/mounts instead of /proc/mounts ● In Fedora, run mount --make-private / or create new user NS
  14. 14. User namespace ● CLONE_NEWUSER ● CONFIG_USER_NS since 2.6.23 ● Unprivileged since 3.8, still disabled by default ● a different UID/GID visible from within namespace than from outside ● all capabilities within namespace – limited by capabilities in parent namespace ● can be combined with other namespaces ● Mapping of ranges via /proc/<pid>/uid_map /proc/<pid>/gid_map – Unprivileged user can map theirselves
  15. 15. LXC: Lightweight containers ● Container management toolset ● Create namespaces ● Configure networking ● Resource management with control groups ● Integrated with libvirt
  16. 16. Docker
  17. 17. systemd-nspawn ● ● Quick way to boot a container Can be run from a service unit in a separate cgroup
  18. 18. Future ● CONFIG_USER_NS=y by default ● Userspace for multiple UIDs (ranges) per user ● Syslog namespace
  19. 19. Questions?
  20. 20. What else? ● Auditing & SELinux ● Checkpoint & Restore in userspace ● fakeroot
  21. 21. Further reading ● ● ● Configuring network namespaces with iproute2's ip netns: http://blog.scottlowe.org/2013/09/04/introduci ng-linux-network-namespaces/ Mike Kerrisk's LWN series on namespaces: http://lwn.net/Articles/531114/ Rami Rosen's great Namespaces/Cgroups lecture http://www.haifux.org/lectures/299/netLec7.pdf

×