Namespaces are a feature of the Linux kernel. A process can use a resource set not seen by another process. Namespaces isolate processes between them.
Photo by Gabriel Heinzer Unsplash
Resource sets are kernel resources for example Process IDs, Hostnames, User IDs, Filenames, Networks, etc.
Namespaces are fundamental blocks of Linux containers.
If the process changes the global resource(like PID) under a specific namespace, this change can be seen only by processes in the same namespace. (This means we can start the process with PID 1 regardless of the init process.)
There are several namespace types in the Linux kernel:
User Namespace
It includes independent user and group IDs that may be given to processes. A process can escalate to the root user in its namespace. User namespaces are nested. All user namespace has a one parent user namespace (except the root user namespace) and has zero or more child user namespace.
PID Namespace
PID namespaces isolate process IDs. Different processes under different PID namespaces can have the same process ID. The first process of the PID namespace takes PID 1 and the subsequent process goes sequentially.
Network Namespace
It is used for isolating a network. Processes in the network namespace can use custom/specific routing tables, IP addresses, network devices, and other network resources in an isolated manner from other network namespaces.
NOTE: We can use the ip netns
command which uses network namespaces. for creating virtual network devices
Mount Namespace
The file system is mounted for processes under the namespace by not affecting the host file system.
IPC Namespace
Processes under this namespace can use IPC resources in an isolated manner. For example message queues, shared memory, and SystemV IPC objects.
UNIX Time Sharing(UTS) Namespace
Isolates the hostname. Processes under this namespace seem like running on different machines (different hostnames).
Control Group (cgroup)
With the help of the cgroups, resources of processes under the namespace can be restricted. These resources are system resources like CPU, memory, disk, etc.
Time Namespace
Processes under this namespace can have different system times.
Example with unshare
unshare --user --pid --map-root-user --mount-proc --fork bash
--user
: Create a new user namespace.--pid
: Create a new PID namespace.--map-root-user
: Give the root permission in the namespace.--mount-proc
: Mount the proc filesystem before executing the command.--fork
: Rather than executing directly, execute as a child of unshare command. It is required for PID namespaces.
Note: If we do not --mount-proc
host /proc
file system is shown at namespace so we cannot isolate processes. With this flag, we tell to the unshare mount a new /proc
filesystem for us.
For listing namespaces we can type: lsns
Control Groups
With control groups, CPU, disk, network, memory, and other system resources can be limited. We can create resource limits with cgroups.
-
Prioritization: We can prioritize a process in the namespace with cgroup.
-
Accounting: Resource limits are monitored and reported at a cgroup level.
-
Control: Process under the same cgroup can be managed by a single command.
CGroup utilities for Debian-based systems: sudo apt install cgroup-tools
Examples
Creating a new memory cgroup
sudo cgcreate -g memory:my-memory-limiter
ls -la /sys/fs/cgroup/memory/my-memory-limiter/
Restricting memory
sudo cgset -r memory.limit_in_bytes=50M my-memory-limiter
cat /sys/fs/cgroup/memory/my-memory-limiter/memory.limit_in_bytes
Executing process with resource limit
sudo cgexec -g memory:my-memory-limiter ./some-high-memory-user.sh
Executing process with resource limit in a namespace
sudo cgexec -g memory:my-memory-limiter unshare -fp --mount-proc /bin/bash
Listing cgroup
resource usage
systemd-cgtop