Shulou(Shulou.com)05/31 Report--

Today, the editor will show you how to understand the namespace of Linux. The knowledge points in this article are very detailed. Friends who feel helpful can browse the content of the article with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Follow the editor to learn more about "how to understand the namespace of Linux".

I. basic concepts

The    namespace (Linux namespace) is a feature of the linux kernel that implements container virtualization mapping. Each container we create has its own namespace, and the applications running in it are run as if they were in a separate operating system, and the namespace ensures that the containers do not affect each other.

The namespace mechanism of    Linux provides a solution for resource isolation. PID,IPC,Network and other system resources are no longer global, but belong to specific Namespace. Namespace is a kind of encapsulation and isolation of global system resources, which makes the processes in different namespace have independent global system resources. Changing the system resources in one namespace will only affect the processes in the current namespace, but have no effect on the processes in other namespace.

   traditionally, in Linux and other derived UNIX variants, many resources are managed globally. For example, all processes in the system are conventionally identified by PID, which means that the kernel must manage a global PID list. Moreover, the system-related information (including the system name and some information about the kernel) returned by all callers through the uname system call is the same. User ID is managed in a similar way, that is, each user is identified by a globally unique UID number.

The    global ID allows the kernel to selectively allow or deny certain privileges. Although root users with a UID of 0 are basically allowed to do anything, other users'ID is restricted. For example, a user whose UID is n is not allowed to kill a process belonging to user m (m ≠ n). But this does not prevent users from seeing each other, that is, user n can see that another user m is also active on the computer. This is fine as long as users can only manipulate their own processes, because there is no reason why users should not be allowed to see other users' processes.

   but in some cases, this effect may not be desired. If the vendor providing the Web host intends to give the user full access to the Linux computer, including root rights. Traditionally, this requires a computer for each user, which is too expensive. Using a virtualized environment provided by KVM or VMWare is one way to solve the problem, but the resource allocation is not very good. Each user of the computer needs a separate kernel and a fully installed user-layer application.

The    namespace provides a different solution that requires fewer resources. In a virtualized system, a physical computer can run multiple cores, possibly multiple different operating systems in parallel. Namespaces, on the other hand, operate on one physical computer using only one kernel, and all the above-mentioned global resources are abstracted by namespaces. This makes it possible to place a set of processes in containers that are isolated from each other. Isolation allows container members to have nothing to do with other containers. However, the separation between containers can also be reduced by allowing containers to share to some extent. For example, a container can be set to use its own PID collection, but still share part of the file system with other containers.

II. Realization

The implementation of    namespaces requires two parts: the namespace structure of each subsystem, wrapping all previous global components into namespaces, and the mechanism for associating a given process to each namespace to which it belongs.

Previous global attributes of the    subsystem are now encapsulated in namespaces, with each process associated with a selected namespace. Every namespace-aware kernel subsystem must provide a data structure that centralizes all objects provided in the form of a namespace. Struct nsproxy is used to aggregate pointers to subsystem-specific namespace wrappers. In the file nsproxy.h, there are:

/ * * A structure to contain pointers to all per-process * namespaces-fs (mount), uts, network, sysvipc, etc. * * The pid namespace is an exception-it's accessed using * task_active_pid_ns. The pid namespace here is the * namespace that children will use. * * 'count' is the number of tasks holding a reference. * The count for each namespace, then, will be the number * of nsproxies pointing to it, not the number of tasks. * * The nsproxy is shared by tasks which share all namespaces. * As soon as a single namespace is cloned or unshared, the * nsproxy is copied. * / struct nsproxy {atomic_t count; struct uts_namespace * uts_ns; struct ipc_namespace * ipc_ns; struct mnt_namespace * mnt_ns; struct pid_namespace * pid_ns_for_children; struct net * net_ns; struct time_namespace * time_ns; struct time_namespace * time_ns_for_children; struct cgroup_namespace * cgroup_ns;}

The following scopes of the current kernel of    are namespace aware

The    1 and UTS namespaces contain information such as the name, version, and underlying architecture type of the running kernel. UTS is the abbreviation of UNIXTimesharing System.

   2. All information related to interprocess communication (IPC) stored in struct ipc_namespace.

   3. A view of the mounted file system, given in struct mnt_namespace.

   4. Information about the process ID is provided by struct pid_namespace.

Information saved by    5 and struct user_namespace to limit the use of resources per user.

   6 and struct net_ns contain all network-related namespace parameters.

   when I discuss the corresponding subsystems, I introduce the contents of each namespace container. Because you can use fork to establish a new namespace when you create a new process, you must provide the appropriate flags that control this behavior. Each namespace has a corresponding flag in the sched.h file:

# define CLONE_NEWCGROUP 0x02000000 / * New cgroup namespace * / # define CLONE_NEWUTS 0x04000000 / * New utsname namespace * / # define CLONE_NEWIPC 0x08000000 / * New ipc namespace * / # define CLONE_NEWUSER 0x10000000 / * New user namespace * / # define CLONE_NEWPID 0x20000000 / * New pid namespace * / # define CLONE_NEWNET 0x40000000 / * New network namespace * /

The role of different types of    namespaces:

   IPC: resources needed to isolate inter-process communication (System V IPC, POSIX message queues). PID namespaces and IPC namespaces can be combined. Processes in the same IPC namespace can see each other and are allowed to interact. Processes in different spaces cannot interact.

   Network:Network Namespace provides a completely independent view of the network protocol stack for processes. It includes network device interface, IPv4 and IPv6 protocol stack, IP routing table, firewall rules, sockets and so on. An Network Namespace provides an independent network environment, just like an independent system.

   Mount: each process exists in a mount Namespace, and    mount Namespace provides a hierarchical view of the files for the process. If this flag is not set, the child process and the parent process will share a mount Namespace, and the subsequent child process calling mount or umount will affect all processes within the Namespace. If the child process is in a separate mount Namespace, you can call mount or umount to create a new file hierarchy view.

   PID::linux manages process numbers through namespaces. The same process differs in different namespaces! The process namespace is a parent-child structure, and the subspace is visible to the parent space.

   User: used to isolate users

   UTS: used to isolate hostnam

   each process is associated with its own namespace view, which is defined in the task_struct structure of the task definition as follows:

Struct task_struct {. / * Namespace * / struct nsproxy * nsproxy;...}

Because    uses pointers, multiple processes can share a set of subnamespaces. In this way, modifying a given namespace is visible to all processes that belong to that namespace.

   init_nsproxy defines the initial global namespace, which maintains pointers to the initial namespace objects of each subsystem. In the kernel/nsproxy.c file

Struct nsproxy init_nsproxy = {.count = ATOMIC_INIT (1), .uts _ ns = & init_uts_ns,#if defined (CONFIG_POSIX_MQUEUE) | | defined (CONFIG_SYSVIPC) .IPC _ ns = & init_ipc_ns,#endif .MNT _ ns = NULL .pid _ ns_for_children = & init_pid_ns,#ifdef CONFIG_NET .net _ ns = & init_net,#endif#ifdef CONFIG_CGROUPS .cgroup _ ns = & init_cgroup_ns,#endif#ifdef CONFIG_TIME_NS .time _ ns = & init_time_ns, .time _ ns_for_children = & init_time_ns # endif} III. UTS Namespace

The    UTS namespace requires little special processing because it requires simple amounts and no hierarchical organization. All relevant information is gathered into an instance of the following structure. Within the utsname.h file:

Struct uts_namespace {struct new_utsname name; struct user_namespace * user_ns; struct ucounts * ucounts; struct ns_common ns;} _ _ randomize_layout

The attribute information provided by    uts_namespace is itself contained in struct new_utsname:

Struct oldold_utsname {char sysname [9]; char nodename [9]; char release [9]; char version [9]; char machine [9];}; # define _ NEW_UTS_LEN 64struct old_utsname {char sysname [65]; char nodename [65]; char release [65]; char version [65]; char machine [65];} Struct new_utsname {char sysname [_ _ NEW_UTS_LEN + 1]; char Nodename [_ _ NEW_UTS_LEN + 1]; char release [_ _ NEW_UTS_LEN + 1]; char version [_ _ NEW_UTS_LEN + 1]; char machine [_ _ NEW_UTS_LEN + 1]; char domain name [_ _ NEW_UTS_LEN + 1];}

Each string of the    stores the name of the system (Linux... , kernel release, machine name, and so on You can get the current values of these properties using the uname tool, which can also be seen in / proc/sys/kernel/

Cat / proc/sys/kernel/ostypeLinuxz@z-virtual-machine:~$ cat / proc/sys/kernel/osrelease5.3.0-40-generic

The initial    settings are saved in init_uts_ns and in the init/version.c file:

Struct uts_namespace init_uts_ns = {.ns.count = REFCOUNT_INIT (2), .name = {.sysname = UTS_SYSNAME, .nodename = UTS_NODENAME, .release = UTS_RELEASE, .version = UTS_VERSION, .machine = UTS_MACHINE .domainname = UTS_DOMAINNAME,}, .user _ ns = & init_user_ns, .ns.inum = PROC_UTS_INIT_INO,#ifdef CONFIG_UTS_NS .ns.ops = & utsns_operations,#endif} What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

Thank you for your reading, the above is the whole content of "how to understand the namespace of Linux". Friends who learn to learn to do it quickly. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.