Linux kernel namespace
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Tööpõhimõte
Namespace dimensioonid, 2026 aasta alguses 8
- mnt (Mount): Filesystems
- uts: Hostname/Domain
- ipc: Shared memory/Message queues
- pid: Process numbering
- net: Network stack
- user: UID/GID mapping (The "Key" to rootless)
- cgroup: Control group hierarchy
- time: System clock offset (the "newest" major one)
Väited
- süsteemi käivitamisel moodustatakse automaatselt esimene namespace (root/initial/global namespace)
- namespace ja kasutaja ei käi koos, nt global namespace kõik protsessid
Misc
kasutaja@ph-minio-01:~$ unshare --user --net --map-root-user /bin/bash
root@ph-minio-01:~# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@ph-minio-01:~# ip addr add 127.0.0.1 dev lo
root@ph-minio-01:~# ip link set up dev lo
root@ph-minio-01:~# ping -c 2 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.020 ms
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1023ms
rtt min/avg/max/mdev = 0.016/0.018/0.020/0.002 ms
ning
root@ph-minio-01:~# lsns -n | grep kasutaja 4026532406 user 1 5124 kasutaja /bin/bash 4026532407 net 1 5124 kasutaja /bin/bash root@ph-minio-01:~# lsns 4026532406 PID PPID USER COMMAND 5124 4954 kasutaja /bin/bash root@ph-minio-01:~# lsns 4026532407 PID PPID USER COMMAND 5124 4954 kasutaja /bin/bash
Piiratud keskkonna moodustamine
kasutaja@ph-minio-01:~$ unshare --user --net --pid --map-root-user --mount --fork /bin/bash root@ph-minio-01:~# mount --make-rprivate / root@ph-minio-01:~# mount -t proc proc /proc root@ph-minio-01:~# mount -t sysfs sysfs /sys root@ph-minio-01:~# mkdir /tmp/empty root@ph-minio-01:~# mount --bind /tmp/empty /sys/bus/pci
Tulemusena
root@ph-minio-01:~# lspci lspci: Cannot open /sys/bus/pci/devices root@ph-minio-01:~# /usr/sbin/driverctl list-devices driverctl: No overridable devices found. Kernel too old? root@ph-minio-01:~# dmesg dmesg: read kernel buffer failed: Operation not permitted root@ph-minio-01:~# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State
ning lsns vaatest
kasutaja@ph-minio-01:~$ lsns
NS TYPE NPROCS PID USER COMMAND
...
4026532406 user 2 6065 kasutaja ├─unshare --user --net --pid --map-root-user --mount --fork /bin/bash
4026532407 mnt 2 6065 kasutaja ├─unshare --user --net --pid --map-root-user --mount --fork /bin/bash
4026532408 pid 1 6066 kasutaja │ └─/bin/bash
4026532409 net 2 6065 kasutaja └─unshare --user --net --pid --map-root-user --mount --fork /bin/bash
unshare väljumisest sobib öelda exit
root@ph-minio-01:~# exit kasutaja@ph-minio-01:~$
systemd varjab namespace abil protsessi eest ära osa failisüsteemist
root@dh-minio-01:~# lsns --tree=owner NS TYPE NPROCS PID USER COMMAND 4026531837 user 110 1 root /sbin/init ├─4026531834 time 110 1 root /sbin/init ├─4026531835 cgroup 110 1 root /sbin/init ├─4026531836 pid 110 1 root /sbin/init ├─4026531838 uts 106 1 root /sbin/init ├─4026531839 ipc 110 1 root /sbin/init ├─4026531840 net 110 1 root /sbin/init ├─4026531841 mnt 105 1 root /sbin/init ├─4026531862 mnt 1 32 root kdevtmpfs ├─4026532333 mnt 1 322 systemd-timesync /usr/lib/systemd/systemd-timesyncd ├─4026532336 mnt 1 353 root /usr/lib/systemd/systemd-udevd ├─4026532337 uts 1 322 systemd-timesync /usr/lib/systemd/systemd-timesyncd ├─4026532338 uts 1 353 root /usr/lib/systemd/systemd-udevd ├─4026532406 mnt 1 11405 root /usr/sbin/rsyslogd -n -iNONE ├─4026532407 uts 1 11405 root /usr/sbin/rsyslogd -n -iNONE ├─4026532461 uts 1 653 root /usr/lib/systemd/systemd-logind ├─4026532468 mnt 1 653 root /usr/lib/systemd/systemd-logind root@dh-minio-01:~# nsenter -m -t 322 findmnt | grep inacc ├─/home tmpfs[/systemd/inaccessible/dir] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 │ ├─/proc/kallsyms tmpfs[/systemd/inaccessible/reg] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 │ ├─/proc/kcore tmpfs[/systemd/inaccessible/reg] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 │ ├─/proc/kmsg tmpfs[/systemd/inaccessible/reg] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 │ ├─/run/credentials tmpfs[/systemd/inaccessible/dir] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 ├─/root tmpfs[/systemd/inaccessible/dir] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 ├─/usr/lib/modules tmpfs[/systemd/inaccessible/dir] tmpfs ro,nosuid,nodev,noexec,relatime,size=605312k,mode=755,inode64 root@dh-minio-01:~# systemctl show systemd-timesyncd | grep ^Prote ProtectClock=no ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes ProtectControlGroupsEx=yes ProtectHome=yes ProtectSystem=strict ProtectProc=invisible ProtectHostname=yes
Kasulikud lisamaterjalid
- TODO
