Introduction to Linux namespaces, containers.

1. Namespaces in Linux
Ľubomír Rintel
GoodData Q1 off-site Harrachov 2014

2. UNIX processes
●
Virtualization
–
–
●
Virtual CPU and memory
Consistently accessible devices
Shared resources
–
Runtime configuration
–
Communication channels
–
Filesystem
–
Privileges, credentials
pid_t pid = fork ();
if (pid) {
<parent>
} else {
<child>
}

3. What about threads?

4. Sharing more
●
Sharing resources and state
–
Address space
–
Signal handlers
–
Open file handles
–
CWD, umask(), ...

5. Linux processes
●
Threads are processes
●
Process: own resources & state
●
Thread: shared resources & state
pid_t pid = clone (<what_to_share>);
CLONE_VM
Address space
CLONE_FILES Open files
CLONE_FS
CWD, umask(), ...
...
SEE ALSO: unshare(2)

6. ...and what about containers?

7. Containers
●
Virtualization
●
Less sharing
●
More separation
Sharing is not caring.
Your mother was wrong!

8. Namespaces
●
Containers are to processes what processes are
to threads
pid_t pid = clone (<what_to_share>);
CLONE_NEWUTS
Hostname, domainname
CLONE_NEWIPC
SysV IPC objects
CLONE_NEWPID
Process IDs
CLONE_NEWNET
Network configuration
CLONE_NEWNS
File system mounts
CLONE_NEWUSER
User and Group IDs
SEE ALSO: setns(2)

9. UTS namespace
●
CLONE_NEWUTS
●
CONFIG_UTS_NS since Linux 2.6.19
●
needs CAP_SYS_ADMIN
●
hostname
●
domainname

10. SysV IPC namespace
●
CLONE_NEWIPC
●
CONFIG_IPC_NS since 2.6.19
●
Obsolete System V UNIX IPC mechanisms:
●
semaphores
●
shared memory
●
message queues

11. PID namespace
●
CLONE_NEWPID
●
CONFIG_PID_NS since Linux 2.6.24
●
●
a different PID visible from within namespace
than from outside
new PID 1

12. Network namespace
●
CLONE_NEWNET
●
CONFIG_NET_NS since Linux 2.6.29
●
separate network stack
–
–
nftables/netfilter rules
–
●
network addresses
loopback interface for namespace
veth interface (CONFIG_VETH), ip netns

13. Mount namespace
●
CLONE_NEWNS
●
First namespace, since 2.4.19
●
/proc/<pid>/mounts instead of /proc/mounts
●
In Fedora, run mount --make-private /
or create new user NS

14. User namespace
●
CLONE_NEWUSER
●
CONFIG_USER_NS since 2.6.23
●
Unprivileged since 3.8, still disabled by default
●
a different UID/GID visible from within namespace than from outside
●
all capabilities within namespace
–
limited by capabilities in parent namespace
●
can be combined with other namespaces
●
Mapping of ranges via /proc/<pid>/uid_map /proc/<pid>/gid_map
–
Unprivileged user can map theirselves

15. LXC: Lightweight containers
●
Container management toolset
●
Create namespaces
●
Configure networking
●
Resource management with control groups
●
Integrated with libvirt

16. Docker

17. systemd-nspawn
●
●
Quick way to boot a container
Can be run from a service unit in a separate
cgroup

18. Future
●
CONFIG_USER_NS=y by default
●
Userspace for multiple UIDs (ranges) per user
●
Syslog namespace

19. Questions?

20. What else?
●
Auditing & SELinux
●
Checkpoint & Restore in userspace
●
fakeroot

21. Further reading
●
●
●
Configuring network namespaces with iproute2's
ip netns:
http://blog.scottlowe.org/2013/09/04/introduci
ng-linux-network-namespaces/
Mike Kerrisk's LWN series on namespaces:
http://lwn.net/Articles/531114/
Rami Rosen's great Namespaces/Cgroups lecture
http://www.haifux.org/lectures/299/netLec7.pdf