Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "Namespace in Linux". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Background

Since the kernel of Linux 2.6.24, Linux has supported six different types of namespaces. Their emergence enables the user-created process to be more thoroughly separated from the system, thus eliminating the need for more underlying virtualization technologies.

CLONE_NEWIPC: the namespace of interprocess communication (IPC) that separates the IPC of SystemV from the message queue of POSIX.

CLONE_NEWPID: process namespace. The PID in the space is allocated independently, which means that the virtual PID in the namespace may conflict with the PID outside the namespace, so the PID in the namespace will use another PID when mapping to the namespace. For example, the first PID in the namespace is 1, while outside the namespace, the PID is already used by the init process.

CLONE_NEWNET: network namespace for isolating network resources (/ proc/net, IP addresses, network cards, routing, etc.). Background processes can run on the same port in different namespaces, and users can also virtualize a network card.

CLONE_NEWNS: mounts the namespace, which separates the mount point from the system when the process is running. when using this feature, we can achieve the function of chroot and is more secure than chroot.

CLONE_NEWUTS: UTS namespace, the main purpose is to separate hostname and network information service (NIS).

Let's take a look at the process namespace and network namespace.

Process namespace

This article introduces the above concepts in C because you need to use C when demonstrating process namespaces. The following test procedure is performed on Debian 6 and Debian 7. First, allocate a page of memory space in the stack and point the pointer to the end of the memory page. Here we use the alloca () function to allocate memory, not the malloc () function, which allocates memory on the heap.

The code is as follows:

Void * mem = alloca (sysconf (_ SC_PAGESIZE)) + sysconf (_ SC_PAGESIZE)

Then use the clone () function to create a child process, pass in our substack space address "mem", and specify the tag for the namespace. We also specify "callee" as the function for the child process to run.

The code is as follows:

Mypid = clone (callee, mem, SIGCHLD | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | CLONE_FILES, NULL)

After clone, we need to exit after the parent process treats the child process first, otherwise, the parent process will continue to run, and the process will end immediately, leaving the child process to become an orphan process:

The code is as follows:

While (waitpid (mypid, & r, 0) < 0 & & errno = = EINTR)

{

Continue

}

Finally, when the child process exits, we will go back to the shell interface and return the exit code of the child process.

The code is as follows:

If (WIFEXITED (r))

{

Return WEXITSTATUS (r)

}

Return EXIT_FAILURE

The functions of the callee function described above are as follows:

The code is as follows:

Static int callee ()

{

Int ret

Mount ("proc", "/ proc", "proc", 0, "")

Setgid (u)

Setgroups (0, NULL)

Setuid (u)

Ret = execl ("/ bin/bash", "/ bin/bash", NULL)

Return ret

}

The program mounts the / proc file system, sets the user ID and group ID to "u", and then runs the / bin/bash program, LXC is an operating system-level virtualization tool that uses cgroups and namespaces to separate resources.

The code is as follows:

# define _ GNU_SOURCE

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

Static int callee ()

Const int u = 65534

Int main (int argc, char * argv [])

{

Int r

Pid_t mypid

Void * mem = alloca (sysconf (_ SC_PAGESIZE)) + sysconf (_ SC_PAGESIZE)

Mypid = clone (callee, mem, SIGCHLD | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | CLONE_FILES, NULL)

While (waitpid (mypid, & r, 0) < 0 & & errno = = EINTR)

{

Continue

}

If (WIFEXITED (r))

{

Return WEXITSTATUS (r)

}

Return EXIT_FAILURE

}

Static int callee ()

{

Int ret

Mount ("proc", "/ proc", "proc", 0, "")

Setgid (u)

Setgroups (0, NULL)

Setuid (u)

Ret = execl ("/ bin/bash", "/ bin/bash", NULL)

Return ret

}

Execute the following command to run the above code:

The code is as follows:

Root@w:~/pen/tmp# gcc-O-o ns.c-Wall-Werror-ansi-c89 ns.c

Root@w:~/pen/tmp#. / ns

Nobody@w:~/pen/tmp$ id

Uid=65534 (nobody) gid=65534 (nogroup)

Nobody@w:~/pen/tmp$ ps auxw

USER PID CPU MEM VSZ RSS TTY STAT START TIME COMMAND

Nobody 1 0.0 0.0 4620 1816 pts/1 S 21:21 0:00 / bin/bash

Nobody 5 0.0 0.0 2784 1064 pts/1 R + 21:21 0:00 ps auxw

Nobody@w:~/pen/tmp$

Notice the above results that UID and GID are set to nobody and nogroup, especially the ps tool outputs only two processes with ID of 1 and 5 respectively (LCTT Note: this is the function mentioned above when introducing CLONE_NEWPID. In the namespace where the thread is located, the process ID can be 1, mapped to another PID; outside the namespace and the process with ID 1 outside the namespace has always been init).

Network namespace

Next, it's your turn to use ip netns to set the namespace of the network. The first step is to make sure that the current system has no namespace:

The code is as follows:

Root@w:~# ip netns list

Object "netns" is unknown, try "ip help".

If you report the above error, you need to update your system kernel, as well as the ip utility. It is assumed that your kernel version is higher than 2.6.24 and the IP tool version is similar, higher than 2.6.24 (LCTT Note: the ip tool is provided by the iproute installation package, which is similar to the kernel version). After the update, ip netns list does not output task information without a namespace. Add a namespace named "ns1" to see:

The code is as follows:

Root@w:~# ip netns add ns1

Root@w:~# ip netns list

Ns1

List the network cards:

The code is as follows:

Root@w:~# ip link list

1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000

Link/ether 00:0c:29:65:25:9e brd ff:ff:ff:ff:ff:ff

Create a new virtual network card and add it to the namespace. Virtual network cards need to be created in pairs and interrelated-just like crossover cables:

The code is as follows:

Root@w:~# ip link add veth0 type veth peer name veth2

Root@w:~# ip link list

1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000

Link/ether 00:0c:29:65:25:9e brd ff:ff:ff:ff:ff:ff

3: veth2: mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

Link/ether d2:e9:52:18:19:ab brd ff:ff:ff:ff:ff:ff

4: veth0: mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

Link/ether f2:f7:5e:e2:22:ac brd ff:ff:ff:ff:ff:ff

At this time, the ifconfig-a command can also display the newly added veth0 and veth2 network cards.

Good, now add these two block network cards to the namespace. Note that the following ip netns exec command is used to execute the following commands in the namespace (LCTT Note: the following result shows that there are only two network cards, lo and veth2, in the network namespace ns1):

The code is as follows:

Root@w:~# ip link set veth2 netns ns1

Root@w:~# ip netns exec ns1 ip link list

1: lo: mtu 65536 qdisc noop state DOWN mode DEFAULT

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

3: veth2: mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

Link/ether d2:e9:52:18:19:ab brd ff:ff:ff:ff:ff:ff

At this point, the ifconfig-a command can only display veth0, not veth2, because the latter is now in the ns1 namespace.

If you want to delete veth0/veth2, you can execute the following command:

The code is as follows:

Ip netns exec ns1 ip link del veth2

We can assign an IP address to veth0:

The code is as follows:

Ifconfig veth0 192.168.5.5/24

Assign an IP address to veth2 within the namespace:

The code is as follows:

Ip netns exec ns1 ifconfig veth2 192.168.5.10/24 up

Execute the ip addr list command inside and outside the namespace:

The code is as follows:

Root@w:~# ip addr list

1: lo: mtu 65536 qdisc noqueue state UNKNOWN

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Inet 127.0.0.1/8 scope host lo

Inet6:: 1/128 scope host

Valid_lft forever preferred_lft forever

2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000

Link/ether 00:0c:29:65:25:9e brd ff:ff:ff:ff:ff:ff

Inet 192.168.3.122/24 brd 192.168.3.255 scope global eth0

Inet6 fe80::20c:29ff:fe65:259e/64 scope link

Valid_lft forever preferred_lft forever

6: veth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 86:b2:c7:bd:c9:11 brd ff:ff:ff:ff:ff:ff

Inet 192.168.5.5/24 brd 192.168.5.255 scope global veth0

Inet6 fe80::84b2:c7ff:febd:c911/64 scope link

Valid_lft forever preferred_lft forever

Root@w:~# ip netns exec ns1 ip addr list

1: lo: mtu 65536 qdisc noop state DOWN

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

5: veth2: mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 12:bd:b6:76:a6:eb brd ff:ff:ff:ff:ff:ff

Inet 192.168.5.10/24 brd 192.168.5.255 scope global veth2

Inet6 fe80::10bd:b6ff:fe76:a6eb/64 scope link

Valid_lft forever preferred_lft forever

View the routing table inside and outside the namespace:

The code is as follows:

Root@w:~# ip route list

Default via 192.168.3.1 dev eth0 proto static

192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.122

192.168.5.0/24 dev veth0 proto kernel scope link src 192.168.5.5

Root@w:~# ip netns exec ns1 ip route list

192.168.5.0/24 dev veth2 proto kernel scope link src 192.168.5.10

Finally, to connect the virtual network card to the physical network card, we need to bridge. What you do here is to bridge the veth0 to the eth0, and DHCP is used within the ns1 namespace to automatically obtain the IP address:

The code is as follows:

Root@w:~# brctl addbr br0

Root@w:~# brctl addif br0 eth0

Root@w:~# brctl addif br0 veth0

Root@w:~# ifconfig eth0 0.0.0.0

Root@w:~# ifconfig veth0 0.0.0.0

Root@w:~# dhclient br0

Root@w:~# ip addr list br0

7: br0: mtu 1500 qdisc noqueue state UP

Link/ether 00:0c:29:65:25:9e brd ff:ff:ff:ff:ff:ff

Inet 192.168.3.122/24 brd 192.168.3.255 scope global br0

Inet6 fe80::20c:29ff:fe65:259e/64 scope link

Valid_lft forever preferred_lft forever

The IP address assigned to the bridge br0 is 192.168.3.122 to 24. Next, assign an address to the namespace:

The code is as follows:

Root@w:~# ip netns exec ns1 dhclient veth2

Root@w:~# ip netns exec ns1 ip addr list

1: lo: mtu 65536 qdisc noop state DOWN

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

5: veth2: mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 12:bd:b6:76:a6:eb brd ff:ff:ff:ff:ff:ff

Inet 192.168.3.248/24 brd 192.168.3.255 scope global veth2

Inet6 fe80::10bd:b6ff:fe76:a6eb/64 scope link

Valid_lft forever preferred_lft forever

Now, veth2's IP is set to 192.168.3.248 take 24.

That's all for "Namespace in Linux". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.