Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the role of Namespace in the Linux operating system. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

The concept of namespace

Namespace is the way the Linux kernel isolates kernel resources. Through namespace, some processes can only see part of the resources related to themselves, while others can only see resources related to themselves. The two processes do not feel the existence of each other at all. The specific way to achieve this is to specify the related resources of one or more processes in the same namespace.

Linux namespaces is a kind of encapsulation and isolation of global system resources, which makes the processes in different namespace have independent global system resources. Changing the system resources in one namespace will only affect the processes in the current namespace, but have no effect on the processes in other namespace.

The purpose of namespace

Perhaps the vast majority of users, like me, began to understand linux's namespace technology only after using docker. In fact, one of the main purposes of implementing namespace in the Linux kernel is to implement lightweight virtualized (container) services. Processes under the same namespace can perceive each other's changes and know nothing about external processes. In this way, the processes in the container can create the illusion that they are in a separate system, thus achieving the purpose of isolation. In other words, the namespace technology provided by the linux kernel provides the basic conditions for the emergence and development of container technologies such as docker.

We can consider how to implement a resource-isolated container from the perspective of the docker implementer. For example, it is possible to isolate the file system by switching the mount point of the root directory through the chroot command. In order to communicate and locate in a distributed environment, containers must have independent IP, ports and routes, which requires network isolation. At the same time, the container needs a separate hostname to identify itself in the network. Next, we also need to isolate the communication between processes, user rights, and so on. Applications running in the container need to have a process number (PID), and naturally need to be isolated from the PID in the host. In other words, these six isolation capabilities are the basis for implementing a container. Let's take a look at what isolation capabilities the namespace feature of the linux kernel provides for us:

The first six namespace in the above table are the necessary isolation technologies to implement the container, and the newly provided Cgroup namespace has not yet been adopted by docker. It is believed that various containers will also add support for Cgroup namespace in the near future.

The Development History of namespace

Linux implemented part of namespace in early versions, such as mount namespace in kernel 2.4. Most namespace support is done in kernel 2.6, such as IPC, Network, PID, and UTS. There are also some special namespace, such as User, which has been implemented since kernel 2.6 but has only been announced in kernel 3.8. At the same time, with the development of Linux itself and the demand brought by the continuous development of container technology, new namespace will be supported, such as the addition of Cgroup namespace in kernel 4.6.

Linux provides several API to manipulate namespace, which are clone (), setns (), and unshare () functions. In order to determine which namespace is isolated, you usually need to specify some call parameters when using these API: CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUSER, CLONE_NEWUTS, and CLONE_NEWCGROUP. If you want to isolate multiple namespace at the same time, you can combine these parameters using | (bitwise or). At the same time, we can also manipulate namespace through some files under / proc. Let's take a look at the brief usage of these interfaces.

View the namespace to which the process belongs

Starting from the kernel with version 3.8.The / proc/ / ns directory will contain the namespace information to which the process belongs. Use the following command to view the namespace information to which the current process belongs:

$ll / proc/$$/ns

First of all, these namespace files are linked files. The format of the contents of the linked file is xxx: [inode number]. Xxx is the type of namespace, and inode number is used to identify a namespace, which can also be understood as the ID of namespace. If a namespace file of two processes points to the same linked file, its related resources are in the same namespace.

Second, another function of placing these linked files in / proc/ / ns is that once these linked files are opened, as long as the open file descriptor (fd) exists, then even if all processes under the namespace are finished, the namespace will always exist, and subsequent processes can be rejoined.

In addition to opening files, we can also prevent namespace from being deleted by mounting files. For example, we can mount the uts in the current process to the ~ / uts file:

$touch ~ / uts $sudo mount-bind / proc/$$/ns/uts ~ / uts

Use the stat command to check the results:

Isn't it amazing that the inode of ~ / uts is the same as the inode number in the linked file, they are the same file.

Clone function

We can use clone () to create a namespace while creating a new process. The declaration of clone () in the C library is as follows:

/ * Prototype for the glibc wrapper function * / # define _ GNU_SOURCE # include int clone (int (* fn) (void *), void * child_stack, int flags, void * arg)

In fact, clone () is a wrapper function defined in the C language library, which is responsible for setting up the stack of new processes and calling clone () system calls hidden from the programmer. Clone () is actually a more general implementation of the linux system call fork (), which uses flags to control how much functionality is used. A total of more than 20 falg (flag bit) parameters starting with CLONE_ are used to control all aspects of the clone process (such as whether to share virtual memory with the parent process, etc.). Here are only four parameters related to namespace:

Fn: specifies a function to be executed by the new process. When this function returns, the child process terminates. This function returns an integer representing the exit code of the child process.

Child_stack: the stack space used by the child process, that is, the esp register that assigns the user-state stack pointer to the child process. The calling process (the process that calls clone ()) should always assign a new stack to the child process.

Flags: indicates which flag bits starting with CLONE_ are used. Related to namespace are CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUSER, CLONE_NEWUTS, and CLONE_NEWCGROUP.

Arg: points to the parameter passed to the fn () function.

In subsequent articles, we will create and demonstrate various types of namespace mainly through the clone () function.

Setns function

The setns () function allows you to add the current process to an existing namespace. The declaration of setns () in the C library is as follows:

# define _ GNU_SOURCE # include int setns (int fd, int nstype)

Like the clone () function, the setns () function in the C language library encapsulates the setns () system call:

Fd: indicates the file descriptor to which you want to add namespace. It is a file descriptor that points to the file in the / proc/ / ns directory, which can be obtained by opening the linked file in that directory directly or by opening a file with the linked file mounted in that directory.

Nstype: the parameter nstype allows the caller to check whether the namespace type pointed to by fd meets the actual requirements. Setting this parameter to 0 means no check.

As we mentioned earlier, namespace can be preserved by mounting it. The purpose of keeping the namespace is to prepare the process for later joining the namespace. In docker, the setns () function is required to execute a new command in an already running container using the docker exec command. In order to take advantage of the newly added namespace, we also need to introduce the execve () series of functions (the author introduced the execve () series of functions in the article "Linux creating child process execution tasks", which can be learned by interested students), this function can execute user commands, and the more common use is to call / bin/bash and accept parameters to run a shell.

Unshare functions and commands

The unshare function allows namespace isolation on the original process. That is, create and add a new namespace. The declaration of unshare () in the C library is as follows:

# define _ GNU_SOURCE # include int unshare (int flags)

Like the previous two functions, the unshare () function in the C language library is also an encapsulation of the unshare () system call. The main purpose of calling unshare () is that you can isolate resources without starting a new process, which is equivalent to jumping out of the original namespace for operation.

The system also provides a command called unshare by default, which is actually calling the unshare () system call. The following demo uses the unshare command to set the user namespace of the current process to root:

The above is the role of Namespace in the Linux operating system that Xiaobian shares with you. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.