Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "Docker basic knowledge of the Linux namespace example analysis", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn the "Docker basic knowledge of the Linux namespace example analysis" this article.

Docker is the product of "old wine in new bottles" and relies on Linux kernel technologies such as chroot, namespace and cgroup.

Like virtual machine technology, Docker realizes the isolation of resources at the operating system level, which is essentially a process (container process) on the host, so resource isolation mainly refers to the isolation of process resources. The core technology to achieve resource isolation is Linux namespace. This technology is consistent with the design idea of namespaces in many languages (such as C++ 's namespace).

Isolation means that multiple lightweight kernels (container processes) can be abstracted. These processes can make full use of the resources of the host, and some resource container processes of the host can enjoy them, but they are isolated from each other. Similarly, the use of resources between different container processes is also isolated, so that the same operations between each other will not interfere with each other, and security is guaranteed.

In order to support these features, Linux namespace implements six resource isolations, which basically cover the running elements of a small operating system, including hostname, user rights, file system, network, process number, and interprocess communication.

These six resource isolations correspond to six system calls, which are accomplished by passing in the parameters in the above table and calling the clone () function.

Int clone (int (* child_func) (void *), void * child_stack, int flags, void * arg)

The clone () function is no stranger to us. It is a more general way to implement the fork () function. By calling clone () and passing in the parameters corresponding to the resource you need to isolate, you can set up a container (isolate what we control).

A container process can also clone () out a container process, which is the nesting of containers.

If you want to see what namespace quarantines are under the current process, you can look at the file / proc/ [pid] / ns (note: this method is limited to kernels after version 3.8).

As you can see, each namespace is accompanied by a number, which uniquely identifies the namespace, and if the two processes point to the same namespace number, they are under that namespace. Also note that with an extra cgroup, this namespace is only supported by version 4.6 of the kernel. At present, the popularity of Docker support for it is not high. So let's forget about it for the time being.

The following is a simple code to achieve six kinds of namespace isolation effect, so that we have an intuitive impression.

UTS namespace

UTS namespace provides the isolation of host name and domain name, so that each container has an independent host name and domain name, which can be regarded as an independent node on the network. Naming the hostname in the container will not have any impact on the host.

First, look at the overall code skeleton:

# define _ GNU_SOURCE#include # define STACK_SIZE (1024 * 1024) static char container_ Stack [stack _ SIZE]; char* const container_args [] = {"/ bin/bash", NULL}; / / the main function int container_main (void * args) {printf ("in the container process! \ n "); execv (container_args [0], container_args); / / execute / bin/bash return 1;} int main (int args, char * argv []) {printf (" Program start\ n "); / / clone container process int container_pid = clone (container_main, container_stack + STACK_SIZE, SIGCHLD, NULL); / / wait for the container process to end waitpid (container_pid, NULL, 0); return 0;}

The program skeleton calls the clone () function to realize the creation of the child process, and defines the execution function of the child process. The second parameter of clone () specifies the stack space for the child process to run, and the third parameter is the key to creating different namespace isolation.

For UTS namespace, pass in CLONE_NEWUTS as follows:

Int container_pid = clone (container_main, container_stack + STACK_SIZE, SIGCHLD | CLONE_NEWUTS, NULL)

In order to see the changes of host names inside and outside the container, we add the following to the execution function of our child process:

Sethostname ("container", 9)

In the final run, you can see the following results:

IPC namespace

IPC namespace implements the isolation of inter-process communication, including several common inter-process communication mechanisms, such as semaphores, message queues and shared memory. We know that to complete IPC, you need to apply for a globally unique identifier, the IPC identifier, so the main task of IPC resource isolation is to isolate the IPC identifier.

Similarly, you only need to add the parameter CLONE_NEWIPC to modify the code, as follows:

Int container_pid = clone (container_main, container_stack + STACK_SIZE, SIGCHLD | CLONE_NEWUTS | CLONE_NEWIPC, NULL)

To see the change, first set up a message queue on the host:

Then run the program, go to the container to check the IPC, did not find the previously established IPC identity, reached the IPC isolation.

PID namespace

PID namespace completes the isolation of the process number, and also adds the CLONE_NEWPID parameter to clone (), such as:

Int container_pid = clone (container_main, container_stack + STACK_SIZE, SIGCHLD | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID, NULL)

The effect is as follows: echo $$outputs the PID number of the shell, which has changed.

But for commands such as ps/top, there is no change:

For specific reasons and the following content (including mount namespace,network namespace and user namespace), you can follow my official account reading, where the reading experience will be better.

The above is all the contents of the article "Linux namespace sample Analysis of Docker Basics". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.