Shulou(Shulou.com)06/02 Report--

Docker implements resource isolation through namespace, resource restrictions through cgroups, and efficient file operations through copy-on-write.

1.namespace resource isolation

6 quarantines of namepsace:

Namespace

System call parameters

Isolate content

UTS

CLONE_NEWUTS

Hostname and domain name

IPC

CLONE_NEWIPC

Semaphores, message queues and shared memory

PID

CLONE_NEWPID

Process number

Network

CLONE_NEWNET

Network devices, network stacks, ports, etc.

Mount

CLONE_NEWNS

Mount point (file system)

User

CLONE_NEWUSER

Users and user groups

One of the main purposes of implementing namespace in the Linux kernel is to implement lightweight virtualized (container) services. Processes under the same namespace can perceive each other's changes and know nothing about external processes. This gives the process in the container the illusion that it is in a separate system environment for the purpose of independence and isolation.

Four ways to operate namespace API

Namespace's API includes clone (), setns (), and unshare (), as well as some files under / proc. In order to determine which six namespace items are isolated, when using these API, you usually need to specify one or more of the following six parameters, through bits or operations.

CLONE_NEWUTS,CLONE_NEWIPC,CLONE_NEWPID,CLONE_NEWNET,CLONE_NEWNS,CLONE_NEWUSER.

Create a namespace while creating a new process through clone ()

Using clone () to create a stand-alone namespace process is the most common practice and the most basic way for Docker to use namespace, which is called as follows.

NAME clone, _ _ clone2-create a child process SYNOPSIS / * Prototype for the glibc wrapper function * / # include int clone (int (* fn) (void *), void * child_stack, int flags, void * arg,... / * pid_t * ptid, struct user_desc * tls, pid_t * ctid * /)

Clone () is actually a more generic implementation of fork system calls, which allows you to control how much functionality is used through flags. There are more than 20 flag parameters of CLONE_* used to control all aspects of the clone process (such as whether to share virtual memory with the parent process, etc.).

View / proc/ / ns file

Starting with version 3.8 of the kernel, users can see files pointing to different namespace numbers under this file:

Ls-l / proc/2597/nstotal 0lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 cgroup-> cgroup: [4026531835] lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 ipc-> ipc: [4026531839] lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 mnt-> mnt: [4026531840] lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 net-> net: [4026531957] lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 pid-> pid: [4026531836] lrwxrwxrwx 1 zhangxa zhangxa 0 Mar 2 06:42 user-> user: [4026531837] lrwxrwxrwx 1 zhangxa Zhangxa 0 Mar 2 06:42 uts-> uts: [4026531838]

If two processes have the same namespace number, they are under the same namespace.

Another function of setting these symbolic links in / proc/ / ns is that once the above link file is opened, even if all the processes under the namespace have ended, the namespace will always exist and subsequent processes can be added. In Docker, locating and adding an existing namespace through a file descriptor is the most basic way.

In addition, the / proc/ / ns directory file can be mounted using the-- bind method until the same effect:

# mount-- bind / proc/2454/ns/uts uts

Add an existing namespace through setns ()

As mentioned above, when the process ends, the namespace can also be retained by mounting. The purpose of retaining the namespace is to prepare for the process to join in the future. In Docker, this method is required to execute a new command in an already running container using the docker exec command. Through the setns () system call, the process joins an existing namespace from the previous namespace, using the following method. Usually in order not to affect the caller of the process, but also to make the newly added pid namespace take effect, the child process is created using the clone after the setns () function is executed to continue executing the command, allowing the original process to end.

NAME setns-reassociate thread with a namespace SYNOPSIS # define _ GNU_SOURCE / * See feature_test_macros (7) * / # include int setns (int fd, int nstype); fd = open (argv [1], O_RDONLY); setns (fd,0); execvp (argv [2], & argv [2])

Assume that the compiled program is "setns-test"

#. / setns-test ~ / uts / bin/bash

At this point, you can execute the shell command in the newly added namespace.

Namespace isolation on the previous process through unshare ()

It is very similar to clone (), except that unshare () runs on the previous process and does not need to start a new process.

NAME unshare-disassociate parts of the process execution context SYNOPSIS # include int unshare (int flags)

The main purpose of calling unshare () is to have the effect of isolation without starting a new process, rather than jumping out of the original namespace. In this way, some operations that need to be isolated can be performed in the original process. The unshare command that comes with Linux is implemented through the unshare () system call. Docker does not currently use this system call.

Summary

The above is all the contents of this article on Docker's exploration of namespace. I hope it will be helpful to everyone. Interested friends can continue to refer to this site: talk about the network security between Docker security mechanism kernel security and containers, explain in detail that Docker uses Linux iptables and Interfaces to manage container networks, etc. If you have any questions, you can leave a message at any time, and the editor will reply you in time. Thank you for your support to this site!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.