Confinement

Namespaces

Allows partitioning of resources in views (namespaces).

Processes in a namespace have a restricted view of the system.
Activated through syscalls by a simple process:
- clone: Defines a namespace to migrate the process to.
- unshare: disassociates the process from its current context.
- setns: puts the process in a Namespace.

Types of Namespaces.

Mount: Applied to mount points.
process id: first process has id 1.
network: "independent" network stack (routes, interfaces...).
IPC: methods of communication between processes.
uts: name independence (DNS).
user id: segregation of permissions.
cgroup: limitation of resources used (memory, cpu...).

## Create netns named mynetns
root@vm: ~# ip netns add mynetns

## Change iptables INPUT policy for the netns
root@linux: ~# ip netns exec mynetns iptables -P INPUT DROP

## List iptables rules outside the namespace
root@linux: ~# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target    prot opt source    destination

## List iptables rules inside the namespace
root@linux: ~# ip netns exec mynetns iptables -L INPUT
Chain INPUT (policy DROP)
target    prot opt source    destination

## List Interfaces in the namespace
root@linux: ~# ip netns exec mynetns ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    
## Move the interface enp0s3 to the namespace
root@linux: ~# ip link set enp0s3 netns mynetns

## List interfaces in the namespace
root@linux: ~# ip netns exec mynetns ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT...
    link/ether 08:00:27:83:0a:55 brd ff:ff:ff:ff:ff:ff
    
## List interfaces outside the namespace
root@linux: ~# ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT...
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Containers

Explores namespaces to provide a virtual view of the system.

Network isolation, cgroups, user ids, mounts, etc...

Processes are executed under a container.

Container is an applicational construction and not of the core.
Consists of an environment by composition of namespaces.
Requires building bridges with the real system network interfaces, proxy processes.

Relevant approaches.

LinuX Containers: focus on a complete virtualized environment.
- evolution of OpenVZ.
Docker: focus on running isolated applications based on a portable packet between systems.
- uses LXC.

Last updated 1 year ago