Linux Namespaces

Why do we need that?

What namespaces do we have?

UTS namespace

User namespace

PID namespace

IPC namespace

Mount namespace

Network namespace

Kernel configuration?

General Setup -> Namespaces support -> *

CONFIG_NAMESPACES=yCONFIG_UTS_NS=yCONFIG_IPC_NS=yCONFIG_USER_NS=yCONFIG_PID_NS=yCONFIG_NET_NS=y

Software implementation

#include int clone(int (*fn)(void *), void *child_stack, int flags, void *arg, ... /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); clone() creates a new process...CLONE_NEWUTSCLONE_NEWIPCCLONE_NEWNETCLONE_NEWPIDCLONE_NEWNSCLONE_NEWUSER

Software implementation

#include int setns(int fd, int nstype); Given a file descriptor referring to a namespace, reassociate the calling thread with that namespace.

Supports:
CLONE_NEWIPC CLONE_NEWNET CLONE_NEWUTS

UTS namespace

The server is installed in Chicago.Timezone: North America -> US -> ChicagoApp requires timezone: Europe -> London

If the app can not handle the timezone change by its own... we have three choices:1. Create a chrooted environment with different default timezone2. Create a virtual machine and put the app there3. Create a new UTS namespace and start the app in it

User namespace

User authentication and mapping files:/etc/passwd

/etc/group

/etc/shadow

- What if we want to create a username called pesho, but such user already exists?
- What if we want to create user joan with UID 1005, but there is already user pesho with UID 1005?

IPC namespace

Unix/Linux IPCs- unix domain sockets- shared memory- semaphores- message queues/proc/PID/fd/ |- 3 -> socket:[3537]

IPC namespace

Unix/Linux IPCs- unix domain sockets- shared memory- semaphores- message queues

key shmid owner perms bytes nattch 0x0052e2c1 1139834880 postgres 600 37879808 4

Network namespace

- IP - IPv6- Routing- TCP- UDP- SCTP- DCCP- RDS

Having separate

loopback device for a processOr simply test the MySQL

server on the same IPCompletely different routing

for a process

Mount namespace

the most complex one...having only one / is a problem...

- at around 22000 mounts everything on your machine starts to lag... no matter how many cores or ram you have :(

- having a different /proc/mounts per process would be nice and very interesting to implement... :)

PID namespace

Migration of processes between machines (CRIU)It allows you to have a two or more processes running with the same PID.PID- is the PID on the host machineNSPID- is the PID that the process sees PIDNSPID 1421 5420ssh-agent 1730 5420xchat 1756 5420firefox