Isolating systems with Linux Namespaces

by | Nov 16, 2016

If you’ve used tools like Docker, you already know that these tools are capable of isolating processes in small “containers”. Running processes in Docker containers is like running them in virtual machines, only these containers are significantly lighter than virtual machines.

With the introduction of Linux namespaces, it became possible to have multiple “nested” process trees. Each process tree can have an entirely isolated set of processes. This can ensure that processes belonging to one process tree cannot inspect or kill - in fact cannot even know of the existence of - processes in other sibling or parent process trees. Every time a computer with Linux boots up, it starts with just one process, with process identifier (PID) 1. This process is the root of the process tree, and it initiates the rest of the system by performing the appropriate maintenance work and starting the correct daemons/services.

All the other processes start below this process in the tree. The PID namespace allows one to spin off a new tree, with its own PID 1 process. The process that does this remains in the parent namespace, in the original tree, but makes the child the root of its own process tree.

A network namespace allows each of these processes to see an entirely different set of networking interfaces. Even the loopback interface is different for each network namespace. In order to provide a usable network interface in the child namespace, it is necessary to set up additional “virtual” network interfaces which span multiple namespaces. Linux also maintains a data structure for all the mountpoints of the system. It includes information like what disk partitions are mounted, where they are mounted, whether they are readonly, et cetera.

There are other namespaces that these processes can be isolated into, namely user, IPC, and UTS. The user namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace. Isolating a process by the IPC namespace gives it its own interprocess communication resources, for example, System V IPC and POSIX messages. The UTS namespace isolates two specific identifiers of the system: nodename and domainname.

For more details, please refer to the original article available in Toptal blog.

SHARE

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Recent posts

On-premises vs. cloud: Which is better for your business?

The choice of technology infrastructure is crucial for the growth and competitiveness of businesses. This article analyzes the advantages and disadvantages of “on-premises” and “cloud computing” models, focusing on aspects such as costs, scalability, security, and management.

Archives


Stay up to date with all the news from UDS ENTERPRISE through our social networks. Follow us!

Skip to content