fbpx
Wikipedia

Linux namespaces

December 08, 2023

For namespaces in general, see Namespace.

Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces. Examples of such resources are process IDs, host-names, user IDs, file names, some names associated with network access, and Inter-process communication.

namespaces
Original author(s)Al Viro
Developer(s)Eric W. Biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov et al.
Initial release2002; 21 years ago (2002)
Written inC
Operating systemLinux
TypeSystem software
LicenseGPL and LGPL

Namespaces are a fundamental aspect of containers in Linux.

The term "namespace" is often used for a type of namespace (e.g. process ID) as well as for a particular space of names.

A Linux system starts out with a single namespace of each type, used by all processes. Processes can create additional namespaces and also join different namespaces.

History edit

Linux namespaces were inspired by the wider namespace functionality used heavily throughout Plan 9 from Bell Labs.[1]

The Linux Namespaces originated in 2002 in the 2.4.19 kernel with work on the mount namespace kind. Additional namespaces were added beginning in 2006[2] and continuing into the future.

Adequate containers support functionality was finished in kernel version 3.8 with the introduction of User namespaces.[3]

Namespace kinds edit

Since kernel version 5.6, there are 8 kinds of namespaces. Namespace functionality is the same across all kinds: each process is associated with a namespace and can only see or use the resources associated with that namespace, and descendant namespaces where applicable. This way each process (or process group thereof) can have a unique view on the resources. Which resource is isolated depends on the kind of namespace that has been created for a given process group.

Mount (mnt) edit

Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces (using shared subtrees, it is possible to propagate mount points between namespaces[4]).

The clone flag used to create a new namespace of this type is CLONE_NEWNS - short for "NEW NameSpace". This term is not descriptive (it does not tell which kind of namespace is to be created) because mount namespaces were the first kind of namespace and designers did not anticipate there being any others.

Process ID (pid) edit

The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. PID namespaces are nested, meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace. Hence the initial PID namespace is able to see all processes, albeit with different PIDs than other namespaces will see processes with.

The first process created in a PID namespace is assigned the process ID number 1 and receives most of the same special treatment as the normal init process, most notably that orphaned processes within the namespace are attached to it. This also means that the termination of this PID 1 process will immediately terminate all processes in its PID namespace and any descendants.[5]

Network (net) edit

Network namespaces virtualize the network stack. On creation, a network namespace contains only a loopback interface.

Each network interface (physical or virtual) is present in exactly 1 namespace and can be moved between namespaces.

Each namespace will have a private set of IP addresses, its own routing table, socket listing, connection tracking table, firewall, and other network-related resources.

Destroying a network namespace destroys any virtual interfaces within it and moves any physical interfaces within it back to the initial network namespace.

Inter-process Communication (ipc) edit

IPC namespaces isolate processes from SysV style inter-process communication. This prevents processes in different IPC namespaces from using, for example, the SHM family of functions to establish a range of shared memory between the two processes. Instead, each process will be able to use the same identifiers for a shared memory region and produce two such distinct regions.

UTS edit

UTS (UNIX Time-Sharing) namespaces allow a single system to appear to have different host and domain names to different processes. "When a process creates a new UTS namespace ... the hostname and domain of the new UTS namespace are copied from the corresponding values in the caller's UTS namespace."[6]

User ID (user) edit

User namespaces are a feature to provide both privilege isolation and user identification segregation across multiple sets of processes available since kernel 3.8.[7] With administrative assistance it is possible to build a container with seeming administrative rights without actually giving elevated privileges to user processes. Like the PID namespace, user namespaces are nested and each new user namespace is considered to be a child of the user namespace that created it.

A user namespace contains a mapping table converting user IDs from the container's point of view to the system's point of view. This allows, for example, the root user to have user id 0 in the container but is actually treated as user id 1,400,000 by the system for ownership checks. A similar table is used for group id mappings and ownership checks.

To facilitate privilege isolation of administrative actions, each namespace type is considered owned by a user namespace based on the active user namespace at the moment of creation. A user with administrative privileges in the appropriate user namespace will be allowed to perform administrative actions within that other namespace type. For example, if a process has administrative permission to change the IP address of a network interface, it may do so as long as its own user namespace is the same as (or ancestor of) the user namespace that owns the network namespace. Hence the initial user namespace has administrative control over all namespace types in the system.[8]

Control group (cgroup) Namespace edit

The cgroup namespace type hides the identity of the control group of which process is a member. A process in such a namespace, checking which control group any process is part of, would see a path that is actually relative to the control group set at creation time, hiding its true control group position and identity. This namespace type has existed since March 2016 in Linux 4.6.[9][10]

Time Namespace edit

The time namespace allows processes to see different system times in a way similar to the UTS namespace. It was proposed in 2018 and landed on Linux 5.6, which was released in March 2020.[11]

Proposed namespaces edit

syslog namespace edit

The syslog namespace was proposed by Rui Xiang, an engineer at Huawei, but wasn't merged into the linux kernel.[12] systemd implemented a similar feature called “journal namespace” in February 2020.[13]

Implementation details edit

The kernel assigns each process a symbolic link per namespace kind in /proc/<pid>/ns/. The inode number pointed to by this symlink is the same for each process in this namespace. This uniquely identifies each namespace by the inode number pointed to by one of its symlinks.

Reading the symlink via readlink returns a string containing the namespace kind name and the inode number of the namespace.

Syscalls edit

Three syscalls can directly manipulate namespaces:

  • clone, flags to specify which new namespace the new process should be migrated to.
  • unshare, allows a process (or thread) to disassociate parts of its execution context that are currently being shared with other processes (or threads)
  • setns, enters the namespace specified by a file descriptor.

Destruction edit

If a namespace is no longer referenced, it will be deleted, the handling of the contained resource depends on the namespace kind. Namespaces can be referenced in three ways:

  1. by a process belonging to the namespace
  2. by an open filedescriptor to the namespace's file (/proc/<pid>/ns/<ns-kind>)
  3. a bind mount of the namespace's file (/proc/<pid>/ns/<ns-kind>)

Adoption edit

Various container software use Linux namespaces in combination with cgroups to isolate their processes, including Docker[14] and LXC.

Other applications, such as Google Chrome make use of namespaces to isolate its own processes which are at risk from attack on the internet.[15]

There is also an unshare wrapper in util-linux. An example of its use is: 

SHELL=/bin/sh unshare --map-root-user --fork --pid chroot "${chrootdir}" "$@"

References edit

  1. ^ . 1992. Archived from the original on 2014-09-06. Retrieved 2016-03-24.
  2. ^ "Linux kernel source tree". kernel.org. 2016-10-02.
  3. ^ "Namespaces in operation, part 5: User namespaces [LWN.net]".
  4. ^ "Documentation/filesystems/sharedsubtree.txt". 2016-02-25. Retrieved 2017-03-06.
  5. ^ "Namespaces in operation, part 3: PID namespaces". lwn.net. 2013-01-16.
  6. ^ "uts_namespaces(7) - Linux manual page". www.man7.org. Retrieved 2021-02-16.
  7. ^ "Namespaces in operation, part 5: User namespaces [LWN.net]".
  8. ^ "Namespaces in operation, part 5: User namespaces". lwn.net. 2013-02-27.
  9. ^ Heo, Tejun (2016-03-18). "[GIT PULL] cgroup namespace support for v4.6-rc1". lkml (Mailing list).
  10. ^ Torvalds, Linus (2016-03-26). "Linux 4.6-rc1". lkml (Mailing list).
  11. ^ "It's Finally Time: The Time Namespace Support Has Been Added To The Linux 5.6 Kernel - Phoronix". www.phoronix.com. Retrieved 2020-03-30.
  12. ^ "Add namespace support for syslog [LWN.net]". lwn.net. Retrieved 2022-07-11.
  13. ^ "journal: add concept of "journal namespaces" by poettering · Pull Request #14178 · systemd/systemd". GitHub. Retrieved 2022-07-11.
  14. ^ "Docker security". docker.com. Retrieved 2016-03-24.
  15. ^ "Chromium Linux Sandboxing". Retrieved 2019-12-19.

External links edit

  • namespaces manpage
  • Namespaces — The Linux Kernel documentation
  • Linux kernel Namespaces and cgroups by Rami Rosen
  • Namespaces and cgroups, the basis of Linux containers (including cgroups v2) - slides of a talk by Rami Rosen, Netdev 1.1, Seville, Spain (2016)
  • Containers and Namespaces in the Linux Kernel by Kir Kolyshkin

December 08, 2023
linux, namespaces, namespaces, general, namespace, this, article, multiple, issues, please, help, improve, discuss, these, issues, talk, page, learn, when, remove, these, template, messages, this, article, needs, additional, citations, verification, please, he. For namespaces in general see Namespace This article has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Linux namespaces news newspapers books scholar JSTOR March 2016 Learn how and when to remove this template message This article includes a list of general references but it lacks sufficient corresponding inline citations Please help to improve this article by introducing more precise citations March 2016 Learn how and when to remove this template message This article s tone or style may not reflect the encyclopedic tone used on Wikipedia See Wikipedia s guide to writing better articles for suggestions May 2016 Learn how and when to remove this template message Learn how and when to remove this template message Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources The feature works by having the same namespace for a set of resources and processes but those namespaces refer to distinct resources Resources may exist in multiple spaces Examples of such resources are process IDs host names user IDs file names some names associated with network access and Inter process communication namespacesOriginal author s Al ViroDeveloper s Eric W Biederman Pavel Emelyanov Al Viro Cyrill Gorcunov et al Initial release2002 21 years ago 2002 Written inCOperating systemLinuxTypeSystem softwareLicenseGPL and LGPLNamespaces are a fundamental aspect of containers in Linux The term namespace is often used for a type of namespace e g process ID as well as for a particular space of names A Linux system starts out with a single namespace of each type used by all processes Processes can create additional namespaces and also join different namespaces Contents 1 History 2 Namespace kinds 2 1 Mount mnt 2 2 Process ID pid 2 3 Network net 2 4 Inter process Communication ipc 2 5 UTS 2 6 User ID user 2 7 Control group cgroup Namespace 2 8 Time Namespace 2 9 Proposed namespaces 2 9 1 syslog namespace 3 Implementation details 3 1 Syscalls 3 2 Destruction 4 Adoption 5 References 6 External linksHistory editThis section needs expansion You can help by adding to it September 2016 Linux namespaces were inspired by the wider namespace functionality used heavily throughout Plan 9 from Bell Labs 1 The Linux Namespaces originated in 2002 in the 2 4 19 kernel with work on the mount namespace kind Additional namespaces were added beginning in 2006 2 and continuing into the future Adequate containers support functionality was finished in kernel version 3 8 with the introduction of User namespaces 3 Namespace kinds editSince kernel version 5 6 there are 8 kinds of namespaces Namespace functionality is the same across all kinds each process is associated with a namespace and can only see or use the resources associated with that namespace and descendant namespaces where applicable This way each process or process group thereof can have a unique view on the resources Which resource is isolated depends on the kind of namespace that has been created for a given process group Mount mnt edit Mount namespaces control mount points Upon creation the mounts from the current mount namespace are copied to the new namespace but mount points created afterwards do not propagate between namespaces using shared subtrees it is possible to propagate mount points between namespaces 4 The clone flag used to create a new namespace of this type is CLONE NEWNS short for NEW NameSpace This term is not descriptive it does not tell which kind of namespace is to be created because mount namespaces were the first kind of namespace and designers did not anticipate there being any others Process ID pid edit The PID namespace provides processes with an independent set of process IDs PIDs from other namespaces PID namespaces are nested meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace Hence the initial PID namespace is able to see all processes albeit with different PIDs than other namespaces will see processes with The first process created in a PID namespace is assigned the process ID number 1 and receives most of the same special treatment as the normal init process most notably that orphaned processes within the namespace are attached to it This also means that the termination of this PID 1 process will immediately terminate all processes in its PID namespace and any descendants 5 Network net edit Network namespaces virtualize the network stack On creation a network namespace contains only a loopback interface Each network interface physical or virtual is present in exactly 1 namespace and can be moved between namespaces Each namespace will have a private set of IP addresses its own routing table socket listing connection tracking table firewall and other network related resources Destroying a network namespace destroys any virtual interfaces within it and moves any physical interfaces within it back to the initial network namespace Inter process Communication ipc edit IPC namespaces isolate processes from SysV style inter process communication This prevents processes in different IPC namespaces from using for example the SHM family of functions to establish a range of shared memory between the two processes Instead each process will be able to use the same identifiers for a shared memory region and produce two such distinct regions UTS edit UTS UNIX Time Sharing namespaces allow a single system to appear to have different host and domain names to different processes When a process creates a new UTS namespace the hostname and domain of the new UTS namespace are copied from the corresponding values in the caller s UTS namespace 6 User ID user edit User namespaces are a feature to provide both privilege isolation and user identification segregation across multiple sets of processes available since kernel 3 8 7 With administrative assistance it is possible to build a container with seeming administrative rights without actually giving elevated privileges to user processes Like the PID namespace user namespaces are nested and each new user namespace is considered to be a child of the user namespace that created it A user namespace contains a mapping table converting user IDs from the container s point of view to the system s point of view This allows for example the root user to have user id 0 in the container but is actually treated as user id 1 400 000 by the system for ownership checks A similar table is used for group id mappings and ownership checks To facilitate privilege isolation of administrative actions each namespace type is considered owned by a user namespace based on the active user namespace at the moment of creation A user with administrative privileges in the appropriate user namespace will be allowed to perform administrative actions within that other namespace type For example if a process has administrative permission to change the IP address of a network interface it may do so as long as its own user namespace is the same as or ancestor of the user namespace that owns the network namespace Hence the initial user namespace has administrative control over all namespace types in the system 8 Control group cgroup Namespace edit The cgroup namespace type hides the identity of the control group of which process is a member A process in such a namespace checking which control group any process is part of would see a path that is actually relative to the control group set at creation time hiding its true control group position and identity This namespace type has existed since March 2016 in Linux 4 6 9 10 Time Namespace edit The time namespace allows processes to see different system times in a way similar to the UTS namespace It was proposed in 2018 and landed on Linux 5 6 which was released in March 2020 11 Proposed namespaces edit syslog namespace edit The syslog namespace was proposed by Rui Xiang an engineer at Huawei but wasn t merged into the linux kernel 12 systemd implemented a similar feature called journal namespace in February 2020 13 Implementation details editThe kernel assigns each process a symbolic link per namespace kind in proc lt pid gt ns The inode number pointed to by this symlink is the same for each process in this namespace This uniquely identifies each namespace by the inode number pointed to by one of its symlinks Reading the symlink via readlink returns a string containing the namespace kind name and the inode number of the namespace Syscalls edit Three syscalls can directly manipulate namespaces clone flags to specify which new namespace the new process should be migrated to unshare allows a process or thread to disassociate parts of its execution context that are currently being shared with other processes or threads setns enters the namespace specified by a file descriptor Destruction edit If a namespace is no longer referenced it will be deleted the handling of the contained resource depends on the namespace kind Namespaces can be referenced in three ways by a process belonging to the namespace by an open filedescriptor to the namespace s file proc lt pid gt ns lt ns kind gt a bind mount of the namespace s file proc lt pid gt ns lt ns kind gt Adoption editVarious container software use Linux namespaces in combination with cgroups to isolate their processes including Docker 14 and LXC Other applications such as Google Chrome make use of namespaces to isolate its own processes which are at risk from attack on the internet 15 There is also an unshare wrapper in util linux An example of its use is SHELL bin sh unshare map root user fork pid chroot chrootdir References edit The Use of Name Spaces in Plan 9 1992 Archived from the original on 2014 09 06 Retrieved 2016 03 24 Linux kernel source tree kernel org 2016 10 02 Namespaces in operation part 5 User namespaces LWN net Documentation filesystems sharedsubtree txt 2016 02 25 Retrieved 2017 03 06 Namespaces in operation part 3 PID namespaces lwn net 2013 01 16 uts namespaces 7 Linux manual page www man7 org Retrieved 2021 02 16 Namespaces in operation part 5 User namespaces LWN net Namespaces in operation part 5 User namespaces lwn net 2013 02 27 Heo Tejun 2016 03 18 GIT PULL cgroup namespace support for v4 6 rc1 lkml Mailing list Torvalds Linus 2016 03 26 Linux 4 6 rc1 lkml Mailing list It s Finally Time The Time Namespace Support Has Been Added To The Linux 5 6 Kernel Phoronix www phoronix com Retrieved 2020 03 30 Add namespace support for syslog LWN net lwn net Retrieved 2022 07 11 journal add concept of journal namespaces by poettering Pull Request 14178 systemd systemd GitHub Retrieved 2022 07 11 Docker security docker com Retrieved 2016 03 24 Chromium Linux Sandboxing Retrieved 2019 12 19 External links editnamespaces manpage Namespaces The Linux Kernel documentation Linux kernel Namespaces and cgroups by Rami Rosen Namespaces and cgroups the basis of Linux containers including cgroups v2 slides of a talk by Rami Rosen Netdev 1 1 Seville Spain 2016 Containers and Namespaces in the Linux Kernel by Kir Kolyshkin Retrieved from https en wikipedia org w index php title Linux namespaces amp oldid 1159953697, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.