5. Linux processes
â—Ź
Threads are processes
â—Ź
Process: own resources & state
â—Ź
Thread: shared resources & state
pid_t pid = clone (<what_to_share>);
CLONE_VM
Address space
CLONE_FILES Open files
CLONE_FS
CWD, umask(), ...
...
SEE ALSO: unshare(2)
8. Namespaces
â—Ź
Containers are to processes what processes are
to threads
pid_t pid = clone (<what_to_share>);
CLONE_NEWUTS
Hostname, domainname
CLONE_NEWIPC
SysV IPC objects
CLONE_NEWPID
Process IDs
CLONE_NEWNET
Network configuration
CLONE_NEWNS
File system mounts
CLONE_NEWUSER
User and Group IDs
SEE ALSO: setns(2)
14. User namespace
â—Ź
CLONE_NEWUSER
â—Ź
CONFIG_USER_NS since 2.6.23
â—Ź
Unprivileged since 3.8, still disabled by default
â—Ź
a different UID/GID visible from within namespace than from outside
â—Ź
all capabilities within namespace
–
limited by capabilities in parent namespace
â—Ź
can be combined with other namespaces
â—Ź
Mapping of ranges via /proc/<pid>/uid_map /proc/<pid>/gid_map
–
Unprivileged user can map theirselves
15. LXC: Lightweight containers
â—Ź
Container management toolset
â—Ź
Create namespaces
â—Ź
Configure networking
â—Ź
Resource management with control groups
â—Ź
Integrated with libvirt
21. Further reading
â—Ź
â—Ź
â—Ź
Configuring network namespaces with iproute2's
ip netns:
http://blog.scottlowe.org/2013/09/04/introduci
ng-linux-network-namespaces/
Mike Kerrisk's LWN series on namespaces:
http://lwn.net/Articles/531114/
Rami Rosen's great Namespaces/Cgroups lecture
http://www.haifux.org/lectures/299/netLec7.pdf