Namespace in Linux

This post is from a new, low-reputation account and contains an unverified outbound link. Be cautious before clicking external links.

Namespace in Linux

bluefriday(25)

Published in

#namespace

Words

Reading

0 min

Listen

Play

2018-02-06 01:10

Linux Namesapce

Lightweight process virtualization technology that provides an isolated environment within the same system, using each separate, independent space.
Unlike the hypervisor that virtualizes hardware, it is a technology that operates on the same OS but distinguishes itself from the execution environment itself.
Technically, it uses the unshare() and setns() system calls, and implement the six constant flags described below by passing them to the clone (), unshare (), and setns () system calls.

namespace	describe
mnt	CLONE_NEWNS
uts	CLONE_NEWUTS
ipc	CLONE_NEWIPC
pid	CLONE_NEWPID
usr	CLONE_NEWUSER
net	CLONE_NEWNET

1.Mount namespace

Started at 2002 kernel 2.4.19
It specify that the process and its child processes use different file system mount points
By default, process share the same namespace, so any process is aware that the file system is mounted or unmounted. However, if the CLONE_NEWNS flag is passed when creating a process through the clone () system call, the newly created process gets a copy of the mount tree that the calling process has.

This copy allows the newly created process to make changes, such as mounting or unmounting the file system, without affecting the parent process.

At the time this copy was created, the mount and unmount of the default namespace for the file system is visible to all processes. And changes in each process-specific mount namespace are not known outside the process's namespace.

1-1. Exam : MNT Namespace

Unmount the namespace before mounting.

[root@localhost/]# mkdir /tmp/mount_ns
[root@localhost/]#
[root@localhost/]# unshare -m /bin/bash

* unshare : How to separate namespaces
*            -m : Mount Namespace

Use the readlink command to check the mount information of the current process.

[root@localhost/] # readlink /proc/$$/ns/mnt
mnt: [4026532190]
[root@localhost/] #

* readlink : follows the origin of the symbolic link.
*             $$ : Process ID of the current bash shell
*     /proc/ : Various real-time information and files stored in the system.
      (In Linux, the virtual file system is located in the virtual reality storage memory.)

Check the tmpfs file system for file system information.

[root@localhost/] # mount -n -t tmpfs tmpfs / tmp / mount_ns
[root@localhost/] #
[root@localhost/] # df -h | grep mount_ns
tmpfs 1.9G 0 1.9G 0% / tmp / mount_ns

* mount -n option : setting for /etc/mtab (/etc/mtab : mount information of current system)
* mount -t tmpfs Option : Verify file system mount
* df                                            : Display file system
* df -h                                       : human readable option

Please check the file system information further.

[root@localhost/] # cat /proc/mounts | grep mount_ns
tmpfs/tmp/mount_ns tmpfs rw, seclabel, relatime 0 0
[root@localhost/] #

Check again.
Separate mounted file systems are invisible.

[root@localhost~] #
[root@localhost~] # readlink /proc/$$/ns/mnt
mnt: [4026531840]
[root@localhost~] # cat/proc/mounts | grep mount_ns
[root@localhost~] # df -h | grep mount_ns
[root@localhost~] #

2. UTS namespace

Unix Timesharing Namespace
The host's identifier is used to maintain the host name and domain name.
Data functions for most applications
Using the -u option to the unshare command

2-1. Exam : UTS namespace

First, let's check the hostname of the first session.

[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]#

Then use the unshare -u command to split the UTS namespace.
After partitioning, make sure that the hostname has changed after setting the new hostname.

[root@localhost ~]# unshare -u /bin/bash
[root@localhost ~]# hostname uts-namespace
[root@localhost ~]#
[root@localhost ~]# hostname
uts-namespace
[root@localhost ~]# cat /proc/sys/kernel/hostname
uts-namespace
[root@localhost ~]#

If you open a new session again and check the hostname, you can see that the hostname in the namespace you just separated is not visible.

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]#

3. IPC namespace

Provides the ability to exchange inter-process data and synchronize work between processes and threads
Provides access controls (primitives) for resources such as semaphores, file locking, and mutexes.
Need to separate actual process from container

4. PID namespace

Manage by dividing process ID
Independent addition of PID 1 which only the init process can have
Not only the init process but also several processes can run without PID conflict on the same OS

5. USR namespace

Allow processes to have different user and group IDs between namespace and default namespace
introduced in kernel v3.8 and not yet supported by many systems
Processes with unauthorized IDs can be run as root in the container they create

6. NET namespace

Isolate networking resources such as network devices, addresses, routes and firewall rules
Effectively create a logical copy of the network stack, allowing multiple namespaces to serve multiple services on the same port
It can be implemented by using iproute2 package etc.

6-1. Exam : NET namespace

You can see the lo and enp0s3 interfaces by querying the current interface using the ip command.

[root@localhost ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
            ...(skip)
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
            ...(skip)
[root@localhost ~]#

The path from the root network namespace can be seen below.

[root@localhost ~]#
[root@localhost ~]# ip r s
default via 10.0.2.2 dev enp0s3 proto static metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
            ...(skip)
[root@localhost ~]#

Now create two new network namespaces.

[root@localhost ~]#
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns add ns2
[root@localhost ~]#
[root@localhost ~]# ip netns
ns2
ns1
[root@localhost ~]#

It then launches a new network command within the new namespace.
Within the new namespace network, you can see that there is only one loopback interface.

[root@localhost ~]# ip netns exec ns1 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@localhost ~]#

Further investigation

kernel/nsproxy.c analysis

Namespace in Linux

Linux Namesapce

1.Mount namespace

1-1. Exam : MNT Namespace

2. UTS namespace

2-1. Exam : UTS namespace

3. IPC namespace

4. PID namespace

5. USR namespace

6. NET namespace

6-1. Exam : NET namespace

Further investigation

Reference