Shulou(Shulou.com)06/01 Report--

This article is to share with you about several Namespace supported by Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Currently, the Linux kernel supports the following six types of Namespace:

IPC: isolates System V IPC and POSIX message queues.

Network: isolate network resources.

Mount: isolate the file system mount point.

PID: isolate the process ID.

UTS: isolates hostnames and domain names.

User: isolates user ID and group ID.

Linux operates on Namespace mainly through three system calls: clone, setns and unshare. When clone creates a new process, it receives a parameter called flags. These flag include CLONE_NEWNS, CLONE_NEWIPC, CLONE_NEWUTS, CLONE_NEWNET (Mount namespace), CLONE_NEWPID and CLONE_NEWUSER, which are used to create a new namespace, so that clone belongs to the new namespace after the new process is created, and the processes created by subsequent new processes belong to the same namespace by default.

If you want to set a new namespace for an existing process, you can do so through the unshare function (long unshare (unsigned long flags)), whose input parameter flags represents the new namespace. When you want to set an existing namespace for an existing process, you can complete the setting through the setns function (int setns (int fd, int nstype)). Each process stores its relevant namespace information in the procfs directory, finds the existing namesapce, and then sets it through setns:

[root@centos ~] # ls-l / proc/10401/ns

Total dosage 0

Lrwxrwxrwx 1 root root January 12 11:36 ipc-> ipc: [4026531839]

Lrwxrwxrwx 1 root root January 12 11:36 mnt-> mnt: [4026531840]

Lrwxrwxrwx 1 root root January 12 11:36 net-> net: [4026531956]

Lrwxrwxrwx 1 root root January 12 11:36 pid-> pid: [4026531836]

Lrwxrwxrwx 1 root root January 12 11:36 user-> user: [4026531837]

Lrwxrwxrwx 1 root root January 12 11:36 uts-> uts: [4026531838]

Each of the above virtual files corresponds to the namespace of the process. If other processes want to enter the namespace,open, the virtual file gets the fd, and then passes it to the fd input parameter of the setns function. Note that the virtual files type and nstype correspond to each other.

Currently, the Linux kernel supports the following six types of Namespace, namely IPC, Network, Mount, PID, UTS, and User:

IPC

IPC is inter-process communication. There are many kinds of inter-process communication under Linux, such as socket, shared memory, Posix message queue, SystemV IPC and so on. The IPC namespace here is aimed at SystemV IPC and Posix message queues, which use identifiers to represent different message queues. Processes communicate by finding message queues corresponding to identifiers. What IPC namespace does is that the same identifier corresponds to different message queues on different namespace. In this way, processes with different namespace cannot complete inter-process communication.

Network

Network Namespace isolates network resources, and each Network Namespace has its own network device, IP address, routing table, / proc/net directory, port number, and so on. There will be one loopback device per Network Namespace (there will not be any other network devices other than that). So users need to do their own network configuration in this. The IP tool already supports Network Namespace, which allows you to configure network features for the new Network Namespace.

Mount

Mount namesapce users isolate file system mount points, and the file systems that each process can see are recorded in / proc/xx/mounts. After a new Mount Namespace is created, the process system mounts / unmounts the file system without affecting other Namespace.

PID

PID Namespace is used to isolate process PID numbers so that process PID numbers can be the same in different Namespace. When creating a PID Namespace, the PID number of the first process is 1, which is the init process. The init process has some special features, for example, the init process is responsible for recycling the resources of all orphan processes. In addition, any signal sent to the init process is blocked, even if the SIGKILL signal is sent, that is, the init process cannot be "killed" in the container.

Note, however, that when you look at the processes of the system with the ps command, you will find that you can actually see all the processes of host:

This is because the ps command reads information from procfs, and procfs is not quarantined. Although you can see these processes, you cannot signal them because they are actually in another PID Namespace.

UTS

UTS Namespace is used to isolate the host name from the domain name, that is, the nodename and domainname fields in the structure structutsname used by the uname system call, from which the name UTS comes from. Why do you need uts namespace, because the hostname can be used instead of the IP address, such as the local area network accessing the machine through the hostname.

User

User Namespace is used to isolate user resources. For example, the user and group ID of a process in Namespace can be different from its ID in host. In this way, an ordinary user of host can have root permission under this container (user namespace), but its privileges are limited to the container. (in fact, there are still many privileged operations that cannot be performed by this kind of root users in containers. Basically, if this privileged operation affects other containers or host, it will not be allowed.)

Thank you for reading! This is the end of this article on "Linux supports several kinds of Namespace". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.