KEMBAR78
Namespaces in Linux | PDF
Lubomir Rintel, profile picture
Uploaded byLubomir Rintel
3,982 views

Namespaces in Linux

This document discusses namespaces in Linux. Namespaces allow containers to have isolated resources like processes, networking, file systems, users and more. Containers share less than virtual machines but provide more isolation than regular processes. Namespaces use the clone system call to create an isolated view of various system resources for a container. Common namespaces include UTS for hostname, IPC for shared memory, PID for process IDs, network, mount and more. Tools like LXC, Docker and systemd-nspawn make it easy to create and manage containers using namespaces and cgroups.

Downloaded 82 times
Namespaces in Linux Ľubomír Rintel GoodData Q1 off-site Harrachov 2014
UNIX processes ● Virtualization – – ● Virtual CPU and memory Consistently accessible devices Shared resources – Runtime configuration – Communication channels – Filesystem – Privileges, credentials pid_t pid = fork (); if (pid) { <parent> } else { <child> }
What about threads?
Sharing more ● Sharing resources and state – Address space – Signal handlers – Open file handles – CWD, umask(), ...
Linux processes ● Threads are processes ● Process: own resources & state ● Thread: shared resources & state pid_t pid = clone (<what_to_share>); CLONE_VM Address space CLONE_FILES Open files CLONE_FS CWD, umask(), ... ... SEE ALSO: unshare(2)
...and what about containers?
Containers ● Virtualization ● Less sharing ● More separation Sharing is not caring. Your mother was wrong!
Namespaces ● Containers are to processes what processes are to threads pid_t pid = clone (<what_to_share>); CLONE_NEWUTS Hostname, domainname CLONE_NEWIPC SysV IPC objects CLONE_NEWPID Process IDs CLONE_NEWNET Network configuration CLONE_NEWNS File system mounts CLONE_NEWUSER User and Group IDs SEE ALSO: setns(2)
UTS namespace ● CLONE_NEWUTS ● CONFIG_UTS_NS since Linux 2.6.19 ● needs CAP_SYS_ADMIN ● hostname ● domainname
SysV IPC namespace ● CLONE_NEWIPC ● CONFIG_IPC_NS since 2.6.19 ● Obsolete System V UNIX IPC mechanisms: ● semaphores ● shared memory ● message queues
PID namespace ● CLONE_NEWPID ● CONFIG_PID_NS since Linux 2.6.24 ● ● a different PID visible from within namespace than from outside new PID 1
Network namespace ● CLONE_NEWNET ● CONFIG_NET_NS since Linux 2.6.29 ● separate network stack – – nftables/netfilter rules – ● network addresses loopback interface for namespace veth interface (CONFIG_VETH), ip netns
Mount namespace ● CLONE_NEWNS ● First namespace, since 2.4.19 ● /proc/<pid>/mounts instead of /proc/mounts ● In Fedora, run mount --make-private / or create new user NS
User namespace ● CLONE_NEWUSER ● CONFIG_USER_NS since 2.6.23 ● Unprivileged since 3.8, still disabled by default ● a different UID/GID visible from within namespace than from outside ● all capabilities within namespace – limited by capabilities in parent namespace ● can be combined with other namespaces ● Mapping of ranges via /proc/<pid>/uid_map /proc/<pid>/gid_map – Unprivileged user can map theirselves
LXC: Lightweight containers ● Container management toolset ● Create namespaces ● Configure networking ● Resource management with control groups ● Integrated with libvirt
Docker
systemd-nspawn ● ● Quick way to boot a container Can be run from a service unit in a separate cgroup
Future ● CONFIG_USER_NS=y by default ● Userspace for multiple UIDs (ranges) per user ● Syslog namespace
Questions?
What else? ● Auditing & SELinux ● Checkpoint & Restore in userspace ● fakeroot
Further reading ● ● ● Configuring network namespaces with iproute2's ip netns: http://blog.scottlowe.org/2013/09/04/introduci ng-linux-network-namespaces/ Mike Kerrisk's LWN series on namespaces: http://lwn.net/Articles/531114/ Rami Rosen's great Namespaces/Cgroups lecture http://www.haifux.org/lectures/299/netLec7.pdf

More Related Content

PPTX
Introduction to docker
byFrederik Mogensen
 
PDF
gRPC Overview
byVarun Talwar
 
PDF
Kubernetes Basics
byEueung Mulyana
 
PPTX
AWS solution Architect Associate study material
byNagesh Ramamoorthy
 
PDF
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
byJo Hoon
 
PPTX
Docker Networking Overview
bySreenivas Makam
 
PPT
Docker introduction
byPhuc Nguyen
 
PDF
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
byEdureka!
 
Introduction to docker
byFrederik Mogensen
 
gRPC Overview
byVarun Talwar
 
Kubernetes Basics
byEueung Mulyana
 
AWS solution Architect Associate study material
byNagesh Ramamoorthy
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
byJo Hoon
 
Docker Networking Overview
bySreenivas Makam
 
Docker introduction
byPhuc Nguyen
 
What is Docker | Docker Tutorial for Beginners | Docker Container | DevOps To...
byEdureka!
 

What's hot

PDF
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
PDF
Red Hat OpenShift Container Platform Overview
byJames Falkner
 
PDF
Getting Started with Kubernetes
byVMware Tanzu
 
PDF
RedHat OpenStack Platform Overview
byindevlab
 
PDF
ArgoCD and Tekton: Match made in Kubernetes heaven | DevNation Tech Talk
byRed Hat Developers
 
PDF
Docker Swarm 0.2.0
byDocker, Inc.
 
PPTX
RabbitMQ & Kafka
byVMware Tanzu
 
PPTX
Introduction to Kubernetes
byrajdeep
 
PPTX
Containerization
byGowtham Ventrapati
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
How we can do Multi-Tenancy on Kubernetes
byOpsta
 
PDF
Python-for-DevOps-Learn-Ruthlessly-Effective-Automation-by-Noah-Gift_-Kennedy...
byMinhTrnNht7
 
PPTX
Azure DevOps
byJuan Fabian
 
PPTX
Docker
byA.K.M. Ahsrafuzzaman
 
PDF
Istio : Service Mesh
byKnoldus Inc.
 
PDF
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
byOpen Source Consulting
 
PDF
Virtualization - Kernel Virtual Machine (KVM)
byWan Leung Wong
 
PDF
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
byJi-Woong Choi
 
PPSX
CI-CD Jenkins, GitHub Actions, Tekton
byAraf Karsh Hamid
 
PDF
Cloud Native Landscape (CNCF and OCI)
byChris Aniszczyk
 
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
Red Hat OpenShift Container Platform Overview
byJames Falkner
 
Getting Started with Kubernetes
byVMware Tanzu
 
RedHat OpenStack Platform Overview
byindevlab
 
ArgoCD and Tekton: Match made in Kubernetes heaven | DevNation Tech Talk
byRed Hat Developers
 
Docker Swarm 0.2.0
byDocker, Inc.
 
RabbitMQ & Kafka
byVMware Tanzu
 
Introduction to Kubernetes
byrajdeep
 
Containerization
byGowtham Ventrapati
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
How we can do Multi-Tenancy on Kubernetes
byOpsta
 
Python-for-DevOps-Learn-Ruthlessly-Effective-Automation-by-Noah-Gift_-Kennedy...
byMinhTrnNht7
 
Azure DevOps
byJuan Fabian
 
Docker
byA.K.M. Ahsrafuzzaman
 
Istio : Service Mesh
byKnoldus Inc.
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
byOpen Source Consulting
 
Virtualization - Kernel Virtual Machine (KVM)
byWan Leung Wong
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
byJi-Woong Choi
 
CI-CD Jenkins, GitHub Actions, Tekton
byAraf Karsh Hamid
 
Cloud Native Landscape (CNCF and OCI)
byChris Aniszczyk
 

Similar to Namespaces in Linux

PDF
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
PDF
TDC2017 | São Paulo - Trilha Containers How we figured out we had a SRE team ...
bytdc-globalcode
 
PDF
lxc-namespace.pdf
by-
 
PDF
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
PPTX
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
ODP
LSA2 - 02 Namespaces
byMarian Marinov
 
PDF
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
PPT
Processes in Linux.ppt
byjguuhxxxfp
 
PDF
dotCloud (now Docker) Paas under the_hood
bySusan Wu
 
ODP
Visual comparison of Unix-like systems & Virtualisation
bywangyuanyi
 
PPTX
Operating Systems: Linux in Detail
byDamian T. Gordon
 
PDF
The building blocks of docker.
byChafik Belhaoues
 
PDF
Linux intro
byHaggai Philip Zagury
 
PPT
Threads Advance in System Administration with Linux
bySoumen Santra
 
PPT
Memory management in linux
byDr. C.V. Suresh Babu
 
ODP
Linux internal
bymcganesh
 
PDF
Linux Internals - Part II
byEmertxe Information Technologies Pvt Ltd
 
PDF
LXC Containers and AUFs
byDocker, Inc.
 
PDF
Lightweight Virtualization: LXC containers & AUFS
byJérôme Petazzoni
 
PPTX
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
TDC2017 | São Paulo - Trilha Containers How we figured out we had a SRE team ...
bytdc-globalcode
 
lxc-namespace.pdf
by-
 
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
LSA2 - 02 Namespaces
byMarian Marinov
 
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
Processes in Linux.ppt
byjguuhxxxfp
 
dotCloud (now Docker) Paas under the_hood
bySusan Wu
 
Visual comparison of Unix-like systems & Virtualisation
bywangyuanyi
 
Operating Systems: Linux in Detail
byDamian T. Gordon
 
The building blocks of docker.
byChafik Belhaoues
 
Linux intro
byHaggai Philip Zagury
 
Threads Advance in System Administration with Linux
bySoumen Santra
 
Memory management in linux
byDr. C.V. Suresh Babu
 
Linux internal
bymcganesh
 
Linux Internals - Part II
byEmertxe Information Technologies Pvt Ltd
 
LXC Containers and AUFs
byDocker, Inc.
 
Lightweight Virtualization: LXC containers & AUFS
byJérôme Petazzoni
 
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 

More from Lubomir Rintel

PDF
Namespaces for Kazimir
byLubomir Rintel
 
PDF
Linux Kernel Debugging Essentials workshop
byLubomir Rintel
 
PDF
LinuxAlt 2013: Writing a driver for unknown USB device
byLubomir Rintel
 
PDF
A journey through the years of UNIX and Linux service management
byLubomir Rintel
 
PDF
Practical SystemTAP basics: Perl memory profiling
byLubomir Rintel
 
PDF
Reverse Engineering: Writing a Linux driver for an unknown device
byLubomir Rintel
 
PDF
SELinux basics
byLubomir Rintel
 
PDF
Brno meetr: Packaging Ruby Gems into RPM
byLubomir Rintel
 
Namespaces for Kazimir
byLubomir Rintel
 
Linux Kernel Debugging Essentials workshop
byLubomir Rintel
 
LinuxAlt 2013: Writing a driver for unknown USB device
byLubomir Rintel
 
A journey through the years of UNIX and Linux service management
byLubomir Rintel
 
Practical SystemTAP basics: Perl memory profiling
byLubomir Rintel
 
Reverse Engineering: Writing a Linux driver for an unknown device
byLubomir Rintel
 
SELinux basics
byLubomir Rintel
 
Brno meetr: Packaging Ruby Gems into RPM
byLubomir Rintel
 

Recently uploaded

PDF
2025 October Patch Tuesday
byIvanti
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
2025 October Patch Tuesday
byIvanti
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 

Namespaces in Linux