Diese Präsentation wurde erfolgreich gemeldet.

LXC NSAttach

0

Teilen

Wird geladen in …3
×
1 von 5
1 von 5

LXC NSAttach

0

Teilen

Herunterladen, um offline zu lesen

Transkript

  1. 1. Assignment -3 Namespace Attachment feature for LXC Darshan Parmar 2014H112179P Ankur Vashishtha 2014H112180P 1. Introduction: Namespace Attachment feature offers facility to attach namespaces to the currently running process. It is an important feature which is helpful to attach any namespace like network, UTS and achieves de-isolation. However due to security concerns this feature should be used with utmost care. 2. Specification of Namespace Attachment feature: Namespace: A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Linux Containers are built using namespaces. Linux provides the following namespaces: Namespace Isolates 1. IPC System V IPC, POSIX message queues 2. Network Network devices, stacks, ports, etc 3. Mount Mount points 4. PID Process IDs 5. User User and group IDs 6. UTS Hostname and NIS domain name Namespace Attachment Specification  Namespace Attachment feature provides the facility of attaching namespaces to already running ones using the setns () call in addition to creating new namespaces.  Each process exposes its namespaces via the /proc/<PROCESS_ID>/ns directory. The setns () system call uses the file descriptors obtained from the files in that directory to attach to namespaces.  It provides de-isolation of namespaces of Linux containers  Sharing resources among containers is easier  Efficient storage  Wastage of Resources can be minimized
  2. 2. Use-Cases of Namespace Attachment feature 1. When security (and therefore a complete isolation) is not needed. 2. At early stages of system deployment, where no external access to the system is enabled yet. 3. When the breaking the isolation is the best way to attain something, and the security impact of the step away from isolation is carefully reviewed and approved. 4. In development/testing. Notes: Security needs to be through when using this mode. If container is "infected", but not the host, then using such trick may open up a door to infect the host as well so there should be warnings that using this tool is de-isolating container from host whether it is appropriate or not is up to sysadmin to decide. 3. Design Notes Features to manage namespaces for containers are provided by Dived Utility Library https://github.com/vi/dive. We have used namespace functionality of this library by stripping down the remaining part of library and integrated it with the LXC container. 1. Selection of the feature Our aim was to find a feature which is not currently provided by LXC Container. Namespace attachment is an important feature which provides de-isolation between host and container. 2. Stripping Down Dived Library Dived/Dive library works on the client server model. The architecture of the library is as: Figure1. Dive library architecture We went with the attachns feature and worked with the dived module only while remaining part of the library was stripped.
  3. 3. 3. Integration of NMT library with LXC Container 1. Copy all .c files form divens folder to <LXC_HOME>/src/lxc 2. Edit LXC/src/lxc/MakeFile.am to make necessary changes like adding extra feature of lxc- attachns  Add lxc-attachns to bin_programs  Add dived.c safer.c and recv_fd.c to lxc_source 3. Re-compile source code using below commands  autogen.sh  ./configure  make  make install ( which in turn install our new feature ) Figure2. Architecture of lxc container with namespace feature
  4. 4. 4. Execution/Testing steps: 1. Create an LXC Container say alice1 with Ubuntu template 2. Make necessary changes into configuration file if required (e.g. changing apparmor security) 3. Start LXC Container by executing following command which will start/boot container 4. Go to container console by executing following command 5. Login into container with username: ubuntu and password: ubuntu 6. Go to root of container by sudo su 7. Start any process in container say cat >qwerty 8. Find out the process id of the current running shell inside container ,since container process id space and host process id space are different, we need to find the mapping between container process-id and host process-id 9. Execute the following command in host system to find mapping between process id of host and container and find out process id associated with shell of cat process. 10. Find out namespace which you want to associate with the current process. [Namespaces of container process here 1751 is process id of shell running on container with respect to the host process id space] [Namespaces associate with host] lxc-create -t ubuntu -n alice1 lxc-start -n alice1 lxc-console -n alice1 lsof -n | grep qwerty ps aux -H | grep -B 4 2456 ls -l /proc/1751/ns/ ls -l /proc/self/ns/
  5. 5. 11. Select whatever container namespaces you want to assign with current Linux terminal (e.g. here I am attaching IPC, Network and UTS namespace to current terminal) 12. Check the terminal and verify that particular namespaces have been attached to currently running terminal. 5. Future work  Namespace attachment can be done at higher level by providing just name of the namespace rather than searching through the process mapping between host and container.  Other related features of Dived can be integrated. 6. References 1. https://github.com/vi/dive/ 2. http://www.linuxjournal.com/content/linux-containers-and-future-cloud 3. https://linuxcontainers.org/lxc/articles/ 4. https://github.com/lxc/lxc lxc-attachns -N /proc/5777/ns/ipc -N /proc/5777/ns/net -N /proc/5777/ns/uts -- /bin/bash

Transkript

  1. 1. Assignment -3 Namespace Attachment feature for LXC Darshan Parmar 2014H112179P Ankur Vashishtha 2014H112180P 1. Introduction: Namespace Attachment feature offers facility to attach namespaces to the currently running process. It is an important feature which is helpful to attach any namespace like network, UTS and achieves de-isolation. However due to security concerns this feature should be used with utmost care. 2. Specification of Namespace Attachment feature: Namespace: A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Linux Containers are built using namespaces. Linux provides the following namespaces: Namespace Isolates 1. IPC System V IPC, POSIX message queues 2. Network Network devices, stacks, ports, etc 3. Mount Mount points 4. PID Process IDs 5. User User and group IDs 6. UTS Hostname and NIS domain name Namespace Attachment Specification  Namespace Attachment feature provides the facility of attaching namespaces to already running ones using the setns () call in addition to creating new namespaces.  Each process exposes its namespaces via the /proc/<PROCESS_ID>/ns directory. The setns () system call uses the file descriptors obtained from the files in that directory to attach to namespaces.  It provides de-isolation of namespaces of Linux containers  Sharing resources among containers is easier  Efficient storage  Wastage of Resources can be minimized
  2. 2. Use-Cases of Namespace Attachment feature 1. When security (and therefore a complete isolation) is not needed. 2. At early stages of system deployment, where no external access to the system is enabled yet. 3. When the breaking the isolation is the best way to attain something, and the security impact of the step away from isolation is carefully reviewed and approved. 4. In development/testing. Notes: Security needs to be through when using this mode. If container is "infected", but not the host, then using such trick may open up a door to infect the host as well so there should be warnings that using this tool is de-isolating container from host whether it is appropriate or not is up to sysadmin to decide. 3. Design Notes Features to manage namespaces for containers are provided by Dived Utility Library https://github.com/vi/dive. We have used namespace functionality of this library by stripping down the remaining part of library and integrated it with the LXC container. 1. Selection of the feature Our aim was to find a feature which is not currently provided by LXC Container. Namespace attachment is an important feature which provides de-isolation between host and container. 2. Stripping Down Dived Library Dived/Dive library works on the client server model. The architecture of the library is as: Figure1. Dive library architecture We went with the attachns feature and worked with the dived module only while remaining part of the library was stripped.
  3. 3. 3. Integration of NMT library with LXC Container 1. Copy all .c files form divens folder to <LXC_HOME>/src/lxc 2. Edit LXC/src/lxc/MakeFile.am to make necessary changes like adding extra feature of lxc- attachns  Add lxc-attachns to bin_programs  Add dived.c safer.c and recv_fd.c to lxc_source 3. Re-compile source code using below commands  autogen.sh  ./configure  make  make install ( which in turn install our new feature ) Figure2. Architecture of lxc container with namespace feature
  4. 4. 4. Execution/Testing steps: 1. Create an LXC Container say alice1 with Ubuntu template 2. Make necessary changes into configuration file if required (e.g. changing apparmor security) 3. Start LXC Container by executing following command which will start/boot container 4. Go to container console by executing following command 5. Login into container with username: ubuntu and password: ubuntu 6. Go to root of container by sudo su 7. Start any process in container say cat >qwerty 8. Find out the process id of the current running shell inside container ,since container process id space and host process id space are different, we need to find the mapping between container process-id and host process-id 9. Execute the following command in host system to find mapping between process id of host and container and find out process id associated with shell of cat process. 10. Find out namespace which you want to associate with the current process. [Namespaces of container process here 1751 is process id of shell running on container with respect to the host process id space] [Namespaces associate with host] lxc-create -t ubuntu -n alice1 lxc-start -n alice1 lxc-console -n alice1 lsof -n | grep qwerty ps aux -H | grep -B 4 2456 ls -l /proc/1751/ns/ ls -l /proc/self/ns/
  5. 5. 11. Select whatever container namespaces you want to assign with current Linux terminal (e.g. here I am attaching IPC, Network and UTS namespace to current terminal) 12. Check the terminal and verify that particular namespaces have been attached to currently running terminal. 5. Future work  Namespace attachment can be done at higher level by providing just name of the namespace rather than searching through the process mapping between host and container.  Other related features of Dived can be integrated. 6. References 1. https://github.com/vi/dive/ 2. http://www.linuxjournal.com/content/linux-containers-and-future-cloud 3. https://linuxcontainers.org/lxc/articles/ 4. https://github.com/lxc/lxc lxc-attachns -N /proc/5777/ns/ipc -N /proc/5777/ns/net -N /proc/5777/ns/uts -- /bin/bash

Weitere Verwandte Inhalte

×