📖

Namespaces

Formula

Group

ConceptOS

Keywords

Linux

Last edited time

Jun 25, 2024 2:16 PM

Slug

Status

In progress

Title

Code inside page

Github

👉 Overview
👀 What ?
🧐 Why ?
⛏️ How ?
⏳ When ?
⚙️ Technical Explanations
🖇️ References

👉 Overview

👀 What ?

Linux namespaces are a feature of the Linux kernel that isolates and partitions system resources, such as process IDs, network and user IDs, among other things, between groups or 'namespaces'. This allows for a certain degree of isolation between applications, enhancing both security and system organization.

🧐 Why ?

Linux namespaces are a fundamental building block for container technologies like Docker, providing the necessary isolation that makes containers secure and independent units of software deployment. They are crucial for maintaining the stability of the Linux system, preventing processes and users from interfering with each other, and partitioning system resources in a controlled and efficient way.

⛏️ How ?

Using Linux namespaces typically involves leveraging certain system calls like clone(), unshare(), and setns() to create, modify, and switch between namespaces. Additionally, Linux namespaces can also be managed using command-line utilities like 'unshare' or 'nsenter'. However, it's worth noting that while powerful, Linux namespaces should be handled with care, as improper usage can lead to system instability or security issues.

⏳ When ?

The concept of namespaces was first introduced in Linux kernel 2.4.19, released in 2002. Over the years, more types of namespaces have been added to provide better isolation and control over system resources.

⚙️ Technical Explanations

Linux namespaces are a crucial aspect of the Linux kernel that allows for the isolation of certain system resources, such as process identifiers (PIDs), network interfaces, and user IDs, among others. Each namespace encapsulates a particular global system resource, and processes within that namespace perceive that they have a private and isolated instance of that global resource.

For instance, the PID namespace isolates the allocation of PIDs. In a typical system without namespaces, process IDs are unique and system-wide. However, within a PID namespace, a process can have a unique ID, which is different from its ID in the rest of the system. This allows for processes to be isolated from each other, providing a measure of security and stability.

Similarly, the network namespace provides isolation for network interfaces and routing tables. Each network namespace has its own private network stack, including its own routes, firewall rules, and network devices. This means that a process running within a particular network namespace cannot communicate directly with a process running in another network namespace.

When a process is created, it inherits the namespaces of its parent process. However, new namespaces can be created, and processes can be moved between namespaces using specific system calls, such as clone(), unshare(), and setns(). These system calls allow for the creation of new processes, the disassociation of a process from some of its namespaces, and the association of a process with a different namespace, respectively.

Command-line utilities like 'unshare' or 'nsenter' also provide a way to manage Linux namespaces. The 'unshare' command allows a process to disassociate parts of its execution context that are currently being shared with other processes, while 'nsenter' is used to run a program in different namespaces.

The use of Linux namespaces is a fundamental technology in creating lightweight containers, which are isolated user-space instances. By isolating different aspects of the system within different namespaces, it's possible to create environments that are isolated from each other to varying degrees. However, it's crucial to note that while powerful, Linux namespaces should be handled with care, as improper usage can lead to system instability or potential security issues.

For a detailed example, let's consider creating a new network namespace and running a process inside it. The following steps and commands help illustrate the process:

Create a new network namespace: We can create a new namespace using the ip command with netns add option. For instance, if we want to create a namespace named 'myNamespace', we can run:

sudo ip netns add myNamespace

List the namespaces: You can verify the creation of the new namespace by listing all network namespaces:

sudo ip netns list

Run a process in the new namespace: Now, let's run a process (e.g., a bash shell) inside 'myNamespace'. We can do this using ip netns exec followed by the namespace name and the command for the process we want to run:

sudo ip netns exec myNamespace bash

Now, you are inside a bash shell in the 'myNamespace' network namespace. This namespace has its own network stack isolated from the rest of the system.

Verify the isolation: Inside 'myNamespace', if you run ifconfig, you will see that this namespace does not have access to the network interfaces of the host machine. This demonstrates the isolation provided by namespaces.

ifconfig

Exit the namespace: Once done, you can exit the namespace by simply typing exit.

exit

Delete the namespace: If you want to delete 'myNamespace', you can use ip netns delete:

sudo ip netns del myNamespace

This example provides a simple demonstration of how Linux namespaces can isolate system resources. In this case, we isolated network interfaces using network namespaces. However, remember that messing with Linux namespaces without proper knowledge can lead to system instability, so always proceed with caution.