Linux Namespaces

Previous安裝Nginx on Docker NextLinux CGroup (Control Group)

Last updated 4 years ago

Was this helpful?

Linux Namespaces

假設host是一間房子，那麼namespace就是host上的房間，你將房間分配給了孩子，孩子只能在房間內活動，並且使用自己的房間內的物品，且無法與其他房間內的孩子互動。-- from

Linux kernel提供6個型別的namespace來進行資源的隔離

UTS namespace – 主機與Domain name
IPC namespace – 阻斷process之間的通訊
PID namespace – 程序編號(Process ID)，每個容器都會有PID=1的process，這個process在本機上也會有另一個PID
Network namespace – 允許擁有獨立的網路設備、IP Address、路由、port
Mount namespace – 掛載點，也就是隔離文件系統
User namespace – user及user group

到這裡我們得知，同一個namespace下的資源共享。接著來查看實際情況，輸入ls -l /proc/$$/ns列出namespace

root@vm:/home/jennifer# ls -l /proc/$$/ns    # 主機
總計 0
lrwxrwxrwx 1 root root 0  6月 29 14:43 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 net -> 'net:[4026531985]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 uts -> 'uts:[4026531838]'

root@c4bf14a28bd0:/# ls -l /proc/$$/ns    # network=bridge的容器1
total 0
lrwxrwxrwx 1 root root 0 Jun 29 06:45 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 ipc -> 'ipc:[4026532387]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 mnt -> 'mnt:[4026532385]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 net -> 'net:[4026532390]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 pid -> 'pid:[4026532388]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 pid_for_children -> 'pid:[4026532388]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 uts -> 'uts:[4026532386]'

root@vm:/# ls -l /proc/$$/ns      # network=host的容器2
total 0
lrwxrwxrwx 1 root root 0 Jun 29 14:48 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 ipc -> ipc:[4026532383]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 mnt -> mnt:[4026532377]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 net -> net:[4026531985]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 pid -> pid:[4026532384]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 pid_for_children -> pid:[4026532384]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 uts -> uts:[4026532382]

依主機來看，ipc -> 'ipc:[4026531839]'，指的就是主機的ipc namespace為4026531839

主機與容器1，ipc, mnt, net, pid, uts這5種namespace均不同，只有user namespace相同

主機與容器2，ipc, mnt, pid, uts這4種namespace均不同，只有user namespace, net namespace相同。多了net namespace的原因是容器2直接使用host的網路

同場加映

用hostnamectl查看host OS資訊

root@vm:/home/jennifer# hostnamectl
   Static hostname: BigData10
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 7de73b8ba8874689ac758936d0f9ce5e
           Boot ID: 66503f1fe9e143a3a37eb27137a5f54b
    Virtualization: microsoft
  Operating System: Ubuntu 18.04.2 LTS
            Kernel: Linux 4.15.0-106-generic
      Architecture: x86-64

(end)

Previous安裝Nginx on Docker NextLinux CGroup (Control Group)

Last updated 4 years ago

Was this helpful?

Linux kernel提供6個型別的namespace來進行資源的隔離

UTS namespace – 主機與Domain name
IPC namespace – 阻斷process之間的通訊
PID namespace – 程序編號(Process ID)，每個容器都會有PID=1的process，這個process在本機上也會有另一個PID
Network namespace – 允許擁有獨立的網路設備、IP Address、路由、port
Mount namespace – 掛載點，也就是隔離文件系統
User namespace – user及user group

到這裡我們得知，同一個namespace下的資源共享。接著來查看實際情況，輸入ls -l /proc/$$/ns列出namespace

root@vm:/home/jennifer# ls -l /proc/$$/ns    # 主機
總計 0
lrwxrwxrwx 1 root root 0  6月 29 14:43 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 net -> 'net:[4026531985]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0  6月 29 14:43 uts -> 'uts:[4026531838]'

root@c4bf14a28bd0:/# ls -l /proc/$$/ns    # network=bridge的容器1
total 0
lrwxrwxrwx 1 root root 0 Jun 29 06:45 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 ipc -> 'ipc:[4026532387]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 mnt -> 'mnt:[4026532385]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 net -> 'net:[4026532390]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 pid -> 'pid:[4026532388]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 pid_for_children -> 'pid:[4026532388]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Jun 29 06:45 uts -> 'uts:[4026532386]'

root@vm:/# ls -l /proc/$$/ns      # network=host的容器2
total 0
lrwxrwxrwx 1 root root 0 Jun 29 14:48 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 ipc -> ipc:[4026532383]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 mnt -> mnt:[4026532377]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 net -> net:[4026531985]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 pid -> pid:[4026532384]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 pid_for_children -> pid:[4026532384]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jun 29 14:48 uts -> uts:[4026532382]

依主機來看，ipc -> 'ipc:[4026531839]'，指的就是主機的ipc namespace為4026531839

主機與容器1，ipc, mnt, net, pid, uts這5種namespace均不同，只有user namespace相同

主機與容器2，ipc, mnt, pid, uts這4種namespace均不同，只有user namespace, net namespace相同。多了net namespace的原因是容器2直接使用host的網路

同場加映

用hostnamectl查看host OS資訊

root@vm:/home/jennifer# hostnamectl
   Static hostname: BigData10
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 7de73b8ba8874689ac758936d0f9ce5e
           Boot ID: 66503f1fe9e143a3a37eb27137a5f54b
    Virtualization: microsoft
  Operating System: Ubuntu 18.04.2 LTS
            Kernel: Linux 4.15.0-106-generic
      Architecture: x86-64

(end)