Namespaces in Linux

  • View
    1.954

  • Download
    0

Embed Size (px)

DESCRIPTION

Introduction to Linux namespaces, containers.

Text of Namespaces in Linux

  • 1.Namespaces in Linuxubomr Rintel GoodData Q1 off-site Harrachov 2014

2. UNIX processes Virtualization Virtual CPU and memory Consistently accessible devicesShared resources Runtime configurationCommunication channelsFilesystemPrivileges, credentialspid_t pid = fork (); if (pid) { } else { } 3. What about threads? 4. Sharing more Sharing resources and state Address spaceSignal handlersOpen file handlesCWD, umask(), ... 5. Linux processes Threads are processesProcess: own resources & stateThread: shared resources & state pid_t pid = clone (); CLONE_VM Address space CLONE_FILES Open files CLONE_FS CWD, umask(), ... ... SEE ALSO: unshare(2) 6. ...and what about containers? 7. Containers VirtualizationLess sharingMore separationSharing is not caring. Your mother was wrong! 8. Namespaces Containers are to processes what processes are to threads pid_t pid = clone (); CLONE_NEWUTS Hostname, domainname CLONE_NEWIPC SysV IPC objects CLONE_NEWPID Process IDs CLONE_NEWNET Network configuration CLONE_NEWNS File system mounts CLONE_NEWUSER User and Group IDs SEE ALSO: setns(2) 9. UTS namespace CLONE_NEWUTSCONFIG_UTS_NS since Linux 2.6.19needs CAP_SYS_ADMINhostnamedomainname 10. SysV IPC namespace CLONE_NEWIPCCONFIG_IPC_NS since 2.6.19Obsolete System V UNIX IPC mechanisms:semaphoresshared memorymessage queues 11. PID namespace CLONE_NEWPIDCONFIG_PID_NS since Linux 2.6.24a different PID visible from within namespace than from outside new PID 1 12. Network namespace CLONE_NEWNETCONFIG_NET_NS since Linux 2.6.29separate network stack nftables/netfilter rules network addresses loopback interface for namespaceveth interface (CONFIG_VETH), ip netns 13. Mount namespace CLONE_NEWNSFirst namespace, since 2.4.19/proc//mounts instead of /proc/mountsIn Fedora, run mount --make-private / or create new user NS 14. User namespace CLONE_NEWUSERCONFIG_USER_NS since 2.6.23Unprivileged since 3.8, still disabled by defaulta different UID/GID visible from within namespace than from outsideall capabilities within namespace limited by capabilities in parent namespacecan be combined with other namespacesMapping of ranges via /proc//uid_map /proc//gid_map Unprivileged user can map theirselves 15. LXC: Lightweight containers Container management toolsetCreate namespacesConfigure networkingResource management with control groupsIntegrated with libvirt 16. Docker 17. systemd-nspawn Quick way to boot a container Can be run from a service unit in a separate cgroup 18. Future CONFIG_USER_NS=y by defaultUserspace for multiple UIDs (ranges) per userSyslog namespace 19. Questions? 20. What else? Auditing & SELinuxCheckpoint & Restore in userspacefakeroot 21. Further reading Configuring network namespaces with iproute2's ip netns: http://blog.scottlowe.org/2013/09/04/introduci ng-linux-network-namespaces/ Mike Kerrisk's LWN series on namespaces: http://lwn.net/Articles/531114/ Rami Rosen's great Namespaces/Cgroups lecture http://www.haifux.org/lectures/299/netLec7.pdf