Confinement

Namespaces

Allows partitioning of resources in views (namespaces).

  • Processes in a namespace have a restricted view of the system.

  • Activated through syscalls by a simple process:

    • clone: Defines a namespace to migrate the process to.

    • unshare: disassociates the process from its current context.

    • setns: puts the process in a Namespace.

Types of Namespaces.

  • Mount: Applied to mount points.

  • process id: first process has id 1.

  • network: "independent" network stack (routes, interfaces...).

  • IPC: methods of communication between processes.

  • uts: name independence (DNS).

  • user id: segregation of permissions.

  • cgroup: limitation of resources used (memory, cpu...).

## Create netns named mynetns
root@vm: ~# ip netns add mynetns

## Change iptables INPUT policy for the netns
root@linux: ~# ip netns exec mynetns iptables -P INPUT DROP

## List iptables rules outside the namespace
root@linux: ~# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target    prot opt source    destination

## List iptables rules inside the namespace
root@linux: ~# ip netns exec mynetns iptables -L INPUT
Chain INPUT (policy DROP)
target    prot opt source    destination

## List Interfaces in the namespace
root@linux: ~# ip netns exec mynetns ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    
## Move the interface enp0s3 to the namespace
root@linux: ~# ip link set enp0s3 netns mynetns

## List interfaces in the namespace
root@linux: ~# ip netns exec mynetns ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT...
    link/ether 08:00:27:83:0a:55 brd ff:ff:ff:ff:ff:ff
    
## List interfaces outside the namespace
root@linux: ~# ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT...
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Containers

Explores namespaces to provide a virtual view of the system.

  • Network isolation, cgroups, user ids, mounts, etc...

Processes are executed under a container.

  • Container is an applicational construction and not of the core.

  • Consists of an environment by composition of namespaces.

  • Requires building bridges with the real system network interfaces, proxy processes.

Relevant approaches.

  • LinuX Containers: focus on a complete virtualized environment.

    • evolution of OpenVZ.

  • Docker: focus on running isolated applications based on a portable packet between systems.

    • uses LXC.

Last updated