👉 Overview
👀 What ?
PID Namespace is an important feature in Linux. It provides process isolation by making processes in different PID namespaces unable to see or signal each other, unless explicitly allowed. This isolation is crucial in many applications, such as containers, where it's necessary to keep processes separate and secure.
🧐 Why ?
Understanding PID Namespace is essential for anyone working with Linux, especially in fields like cybersecurity or system administration. It's a fundamental concept in Linux that allows for process isolation, which is vital for system security and stability. Without process isolation, a rogue or malicious process could potentially disrupt or take control of other processes, leading to system instability or security breaches.
⛏️ How ?
Creating a new PID Namespace in Linux is relatively straightforward. You can use the 'unshare' command with the '-p' option to create a new PID Namespace and then use the 'fork' system call to create a new process in that namespace. It's also possible to use the 'clone' system call with the 'CLONE_NEWPID' flag to create a new process in a new PID Namespace. However, it's important to note that only privileged users (usually root) can create new PID namespaces for security reasons.
⏳ When ?
The concept of namespaces in Linux, including PID Namespace, was introduced in kernel version 2.4.19, released in 2002. However, it was not until kernel version 3.8, released in 2013, that unprivileged users were allowed to create new namespaces, albeit with some restrictions.
⚙️ Technical Explanations
A PID Namespace in Linux is a mechanism that provides a separate space of process identifiers (PIDs). Each PID Namespace possesses its own unique set of PID numbers, which are distinct from those in other namespaces. This means that a process in one PID Namespace cannot see or interact with processes in another PID Namespace, unless explicit permission is given, providing a crucial layer of process isolation.
Creating a new PID Namespace can be done using the 'unshare' command coupled with the '-p' option, or alternatively, the 'clone' system call with the 'CLONE_NEWPID' flag can be used. However, for security reasons, only privileged users can create new PID namespaces.
The first process in each PID Namespace, designated PID 1, has a unique role. It is responsible for reaping orphaned processes, which are processes that have been abandoned by their parent processes. This is a critical function for maintaining system stability and preventing resource leakage.
The introduction of PID namespaces has been particularly beneficial in the field of container technology. Containers utilize PID namespaces to ensure that the processes within them are isolated from both the host system and other containers, enhancing security and stability.
PID Namespaces were introduced in Linux kernel version 2.4.19 in 2002, but it wasn’t until the release of kernel version 3.8 in 2013 that unprivileged users were granted the ability to create new namespaces, albeit with some limitations.
Let's create a new PID Namespace using the unshare command. The unshare command allows you to run a program with new namespaces. Here's the command:
sudo unshare -p -f bash
In the above command, the '-p' option tells unshare to create a new PID namespace and the '-f' option instructs it to fork a new child process. The 'bash' command launches a new bash shell within this new namespace.
Once you're in the new namespace, you can verify that it worked by checking the PID of the current process:
echo $$
In a new PID namespace, the PID of the first process (in this case, our bash shell) should be 1, which confirms that we're in a new PID namespace.
To further illustrate process isolation, let's start a background process in this new bash shell:
sleep 1000 &
This starts a 'sleep' process that will run in the background for 1000 seconds. If you list the running processes with 'ps', you should see only the bash shell and the sleep process.
Now, if you exit the bash shell and return to your original shell (outside the PID namespace), you won't be able to see the sleep process, even though it's still running. This demonstrates how processes in different PID namespaces are isolated from each other.