Skip to content

CGroups and Namespaces

Posted on:August 13, 2023 at 04:23 PM

Namespaces are a feature of the Linux kernel. A process can use a resource set not seen by another process. Namespaces isolate processes between them.

cgroups-and-namespaces-cover Photo by Gabriel Heinzer Unsplash

Resource sets are kernel resources for example Process IDs, Hostnames, User IDs, Filenames, Networks, etc.

Namespaces are fundamental blocks of Linux containers.

If the process changes the global resource(like PID) under a specific namespace, this change can be seen only by processes in the same namespace. (This means we can start the process with PID 1 regardless of the init process.)

There are several namespace types in the Linux kernel:

User Namespace

It includes independent user and group IDs that may be given to processes. A process can escalate to the root user in its namespace. User namespaces are nested. All user namespace has a one parent user namespace (except the root user namespace) and has zero or more child user namespace.

PID Namespace

PID namespaces isolate process IDs. Different processes under different PID namespaces can have the same process ID. The first process of the PID namespace takes PID 1 and the subsequent process goes sequentially.

Network Namespace

It is used for isolating a network. Processes in the network namespace can use custom/specific routing tables, IP addresses, network devices, and other network resources in an isolated manner from other network namespaces.

NOTE: We can use the ip netns command which uses network namespaces. for creating virtual network devices

Mount Namespace

The file system is mounted for processes under the namespace by not affecting the host file system.

IPC Namespace

Processes under this namespace can use IPC resources in an isolated manner. For example message queues, shared memory, and SystemV IPC objects.

UNIX Time Sharing(UTS) Namespace

Isolates the hostname. Processes under this namespace seem like running on different machines (different hostnames).

Control Group (cgroup)

With the help of the cgroups, resources of processes under the namespace can be restricted. These resources are system resources like CPU, memory, disk, etc.

Time Namespace

Processes under this namespace can have different system times.

Example with unshare

unshare --user --pid --map-root-user --mount-proc --fork bash

Note: If we do not --mount-proc host /proc file system is shown at namespace so we cannot isolate processes. With this flag, we tell to the unshare mount a new /proc filesystem for us.

For listing namespaces we can type: lsns

Control Groups

With control groups, CPU, disk, network, memory, and other system resources can be limited. We can create resource limits with cgroups.

CGroup utilities for Debian-based systems: sudo apt install cgroup-tools

Examples

Creating a new memory cgroup

sudo cgcreate -g memory:my-memory-limiter
ls -la /sys/fs/cgroup/memory/my-memory-limiter/

Restricting memory

sudo cgset -r memory.limit_in_bytes=50M my-memory-limiter
cat /sys/fs/cgroup/memory/my-memory-limiter/memory.limit_in_bytes

Executing process with resource limit

sudo cgexec -g memory:my-memory-limiter ./some-high-memory-user.sh

Executing process with resource limit in a namespace

sudo cgexec -g memory:my-memory-limiter unshare -fp --mount-proc /bin/bash

Listing cgroup resource usage

systemd-cgtop

References