Namespace kinds:
Cross-Namespace Communication:
- Mount (mnt) $
- CLONE_NEWNS
- clone(child_fn, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWNS | SIGCHLD, NULL)
- Process ID (pid)
- CLONE_NEWPID
- pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | SIGCHLD, NULL);
- Network (net)
- CLONE_NEWNET
- pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL);
- $ ip link add name veth0 type veth peer name veth1 netns <pid>
- Interprocess Communication (ipc)
- CLONE_NEWIPC
- Having their own interprocess communication resources, i.e System V IPC and POSIX messages.
- UTS
- CLONE_NEWUTS
- Isolates two specific identifiers of the system: nodename and domainname.
- pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWUTS | SIGCHLD, NULL);
- User ID (user)
- CLONE_NEWUSER
- Allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace.
- Control group (cgroup)
- CLONE_NEWCGROUP
- Time namespace
The process can have a distinct view of CLOCK_MONOTONIC and/or CLOCK_BOOTTIME which can be changed using /proc/self/timens_offsets
man : time_namespaces
Three syscalls can directly manipulate namespaces:
- clone, flags to specify which new namespace the new process should be migrated to.
- unshare, Allows the caller process (or thread) to disassociate parts of its execution context that are currently being shared with other processes (or threads) , and put the caller process into the NEW namespace. (Except for PID unshare)
- setns, The caller process joins a particular namespace through FD (Except for PID setns, which the caller's child will be put into new namespace).
- ioctl(2), Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).
Cross-Namespace Communication:
- create namespace PID child process first.
- since child and parent share the same network namespace at the moment, child new PID namespace process can establish unix socket FD first and then call unshare() to create a new network namespace.
Creation of new namespaces using clone(2) and unshare(2) in most cases requires the CAP_SYS_ADMIN capability, since, in the new namespace, the creator will have the power to change global resources that are visible to other processes that are subsequently created in, or join the namespace.
User namespaces are the exception: since Linux 3.8, no privilege is required to create a user namespace.
reference:
http://man7.org/linux/man-pages/man7/namespaces.7.html
https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces
How to list all namespaces:
https://unix.stackexchange.com/a/113561
https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces
How to list all namespaces:
https://unix.stackexchange.com/a/113561
read:
Linux Namespaces and Go Don't Mix
The Curious Case of Pid Namespaces:
The Curious Case of Pid Namespaces:
- From TLPI Ch.20.5 (p.402)
- The init process (process ID 1), which runs with user and group of root, is a special case. It can be sent only signals for which it has a handler installed. This prevents the system administrator from accidentally killing init, which is fundamental to the operation of the system.
- https://github.com/krallin/tini
- https://docs.docker.com/engine/reference/run/#specify-an-init-process
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.