What's in a Name? - Linux Namespaces

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm dj ware on this episode of the cyber gizmo i'm going to be talking about name spaces but more specifically linux namespaces right after this [Music] i want to do this one today mostly because one of my subscribers was very kind and gave me a link to the windows subsystem for linux on a more technical explanation of the differences between wsl one and two and i do appreciate that but i thought it was kind of funny that the one of the uh participants on the call referred to as docker name space as being old outmoded and old-fashioned and so i was kind of laughing about that because docker doesn't actually provide that namespace it's provided by linux so that shot came across our bio and so today i want to kind of talk about that a little bit and explain what linux namespaces actually do so that's why i wanted to do this today so general let's take the wikipedia definition it's a good one uh name spaces and computing refers to a set of symbols or names that are used to identify and refer to objects of various kinds so it's just basically a way to take things that are related and group them together and give it a name so a namespace ensures that all of the given set of objects that have unique names so that they can be easily identified and referred to so that's basically what a namespace is we're done i'll see you later no there's much more than that but namespaces has been is not anything new and in fact microsoft you have been using these namespaces and ever since you published your first basic interpreter and it goes back way before your company and so it is fundamental to how programming languages and compilers are developed today because the first instances of name spaces were used by programming languages to re to build variables that refer to memory locations that way we didn't have to memorize those memory locations we could just refer to it as a name and later we were able to give it a type and so that we knew that that memory location contained an integer or a string or a floating point or whatever uh so yeah they've been around a long time long long time so if you want to say that it's old and out fashioned great what do you got to come up with that's going to replace it um so anyway name spaces as applied to linux were first year used at bell labs in plan nine and of course the very first one they implemented was the mount uh the mount namespace and oddly enough that was the first one that linux did as well so the name spaces of in linux appeared in the 2.4.19 kernel uh that was sometime around 2002 so we've had them around for a while in linux no doubt about it but a linux a namespace refers to a set of kernel uh it's a feature of the kernel all right so and it and it is used to partition kernel resources so in other words i can take something that the kernel is providing and i can create a wall around it so that if i hand that off to a process it can only see that view of the world so it's kind of like a root with on steroids and that i can i can affect everything about that application within the namespace definitions that i have available to me within the kernel so a namespace consists of of one or more processes plus a set of resources so you can have a group of processes you can have a group of users you can have a group of resources within that space as well and resources can exist in in multiple namespaces they don't get consumed so that once you assign something to a namespace it's not done you can you can have as many assignments as you need for that same resource namespaces however are a fundamental aspect of containers in linux so let's talk about that so why does linux even need these so the main purpose of it was to wrap some global resource in an abstraction abstraction being that kind of a layer that is a layer of definition it's not a barrier it's not a security barrier it's just a way to refer to a larger group of things rather than have to list it you know it's the memory it's the cpu it's the disk that i can just refer to it as something and and then i don't have to i can just use that something to isolate and give that process process kind of a private view of those resources so and that effectively prevents that process from impacting another process that's running in a container for example uh within on in the same system so that they do not inadvertently interact with one another so the process has no idea it's running inside of a namespace as far as it knows it's got a private it's running on its on the cpu memory and disks that are assigned to it it just thinks that that's a processor it just thinks that's a piece of hardware so uh as of 5.6 the 5.6 version of the kernel there are eight different kinds of name spaces i i have not checked this under my my current one how many uh there are i'll probably do that later today and if i do find that there's a couple more that have been added i'll let you know but in five six there are eight and if you want to find out what name spaces that are being used currently in your system you can just do an lsns command at the command line and it will show you everything that's running it'll show you the type of namespace it'll show you the process id that is assigned to it it'll show you the process name that's assigned to it and probably some other information that you can gain from that as well but it'll give you a list and what you probably will see in there is one or more of these a control group a c group an inter-process communication an ipc is how i think it appears on the list uh amount would uh well which would be a dis a file mount uh and that would be the mnt command network net uh will show up process id time maybe you might see time user definitely you'll see those unix time sharing you might not see uts that's that's we'll talk about all of these things in more detail but there is one that was proposed at the time that five 6 was released that didn't make it in which was the syslog uh it was proposed as a namespace so let's talk a little bit about what they are c group is probably the most complicated uh because it has direct impact on the containers themselves it is used by containers to isolate a set of processes into a virtual system now we're not talking about virtual machines here this is software virtualization at the container level and this was provided through the linux kernel this is not like kbm or or any of the type one hypervisors which do their hard which do isolation at the hardware level so yeah so this is not the same thing there now there are containers that do include a virtualization piece and those would be a hardware and a software version of the container but we're not talking about those today what we're talking about is containers like docker and lexie so c groups do are kind of you a lot of people kind of i've heard this i don't know how many times i've heard this they're kind of like see root but they're not really like charute to root it was very good for its time but all it really did was isolate your file system so it all it does is it moves the bar of where the process sees root beginning in the file tree so i can move it to my home directory and then that process that's running in my home directory thinks that my home directory is root and it can only view anything under it it's not allowed to see any of the file paths above my home directory so effectively that's all that your route does but as far as the process is concerned it still sees a full view of the cpu the memory and any other ipc resources or network resources that are available to the machine it still sees those the however cgroups allows me to limit isolate and measure resources on all of those things that i just mentioned so it's much more than a charute they can have their own set of resource quotas i can assign resource quotas to memory the cpu the network and to the i o and i i can also indirectly then i can also manage slas i can also guarantee that that particular uh well it's you know done by a subtract subtraction but it i can also guarantee up to a point the sla is for that particular resource as well in a process communication namespaces those are a more security oriented namespace this one came from unix system 5 indirectly it was turned into a namespace but basically ipc is used to isolate inter-process communication that is i've got two processes i start up and i want them to communicate with each other but i don't want anything else to be able to listen in on that communication and so i don't want that accidentally accessed and i don't want it accidentally destroyed by another application as well so unless those unless those other applications have permission to use the ipc you probably have i don't know if anybody messes around with ipc too much anymore but if you've done any ipc programming you know that you that if you set one up and then you add an application to use it the first thing that comes back if you forget to set the permission is sorry ipc communication tonight so but each ipc has its own set of system five identifiers it hasn't named it is a named communications channel i guess for no better word but it's each of them has their own unique name and each of them also has its own messaging queue which is a file system that's built inside of it so when i submit things that i want to communicate to the other process i have a place where i can stack them up and the other process can then just pull them off the queue as it has time to do that and so that's basically what it is that's what that's for mountain mountains face is one of the oldest ones in linux that was the one that was first done and that allows different views of the file system hierarchy in other words anytime i do a mount or a u-mount command i'm managing the file hierarchy tree right so and that is managing the mountain name space for that system uh the mountain a space is used to create environments similar to chirrut jails and you can't and it is more secure than a charaote so yeah it it it's quite different i mean i can if i with the mount space i can create a different set of mount points for one group of applications from another so they don't necessarily see the same mount point and because the data is not mounted they don't have a view to it in the network namespace that provides isolation of the system resources associated with networking so each each of the namespaces this allows them to have their their own network device their own ip address their own ip routing their own port numbers etc so it provides additional features and con for containers by contributing a virtual network devices which are assigned to a specific container and it is one of the ways that if you've ever wondered how a docker container can have a web server at port 80 and have 50 of them running on the same box that this is how that that is possible is because the name spaces provide only those ports with to the container itself now they have to be unique when they're when they're when they're advertised outside of the container but once they're inside the container it's perfectly fine to have as many port 80s as you'd like or four four threes pid name space the process id number name space that isolates processes by assigning process id numbers to each one that's executing and so no matter how many copies of that process is running each one has its own unique pid pids are hierarchical and every pid has a parent the first one they all nest from pid 1 which by the way is in the most is the inet process and that is system d init in a system d system but that is the uh mother of all of the of the process ids in the system everything will will fork off of that that particular process so you can that you can follow the nest all the way back from your process id all the way up to whatever process spawned you could be the shell and then the shell process is in turn spawned by something else and up the tree you can go there are also a child process id that's maintained as well there's a parent id a ppid and there's also a child id that's maintained by although that link doesn't show up directly it shows up in the child itself so but that allows signals like for example the kill command to target just a specific instance of the process now it's a it is a prune operation right if i kill the parent process of several children they get an interrupt signal that says it's been killed whether or not they respond to it that's up to the programmer to decide whether they want to ignore it or just be just a zombie themselves and run under the inet process and continue until they've completed their work but anyway eventually the linux kernel will come around and get them we'll collect them up and and take them out of memory and return their resources but time name space uh that provides isolation for the boot time clocks and also offset to the time spaces so this one is a bit strange right so the as i understand this and i might be wrong but the way i understand this is that this was designed to handle the problem in containers when you have the host operating system doing preemptive multitasking preemptive multitasking means that i can shut down i can stop the container completely from running well i've got a clock that's running inside the container right if i stop it the clock stops with it so this was to allow the allow the clocks to get out of sync and allows the the container to think that nothing happened the pre-emptive schedule or didn't stop it for a period of time so it once it starts up again the name space continues on and the the container doesn't know that hey the clock stopped but that was what i understand this was designed to solve uh it but it also allows the the container to run their own ntp processes as well so yeah i mean you're going to get out you're going to get into drift situations right when you have the preemptor is stopping it if you're uh if your container provide is uh is hoping for an accurate time a time clock then it'll probably want to run its own ntp in order to make sure that those things don't pull it out of sync so yeah i mean that's that was why i understand this was done so that's that that's that's what it's about so i don't have to cover that one in a future one i just did it for you username space that traces its back to one of the beginnings i think this was one of the second ones that was put in a couple years later but i mean as far as the user the idea of user separation within linux that's the core value that goes all the way back to the beginning and those the user name space and the group is isolated to a user id and a group id and those can be nested such that and this is one of the things that is provided in the current linux kernel i can set up a container that's running as an unprivileged user and yet i can have a privileged task running and nested inside of that container so or i could even go to the extreme and have a unprivileged user starting a process that nests a process that is running under that as privileged so i that this is one of those things that's kind of worrisome to me for security but so far i mean it hasn't been a problem is is just that it is a little concerning that you're allowing an unprivileged user to escalate to a root privilege status and yeah so anyway i'm just going to leave that one alone i i think i think this one has been they've talked about this you know in the i'm in the in the kernel space many many times so far it's not been a problem but that doesn't mean it won't be right so watch this one then we'll see what happens in the future unix time sharing namespace that that one comes from the unix system five as well uh it is kind of a strange name for this though in in that it's meant to isolate two system identifiers from each other so this is my node and host name my node name or my host name and my domain name so basically this allows my container to have a host and a domain name that's different from the host which is which is running the container itself and each of those can have each of those containers can have their own host name and their own domain name and they don't have to be associated at all with the network on which it's running this is how clouds are built up for how you how a shareable cloud is built up is is based on the uts name space so yeah it's a little bit misleading but that was really the the uts time sharing was where that was declared so the structure came from the uts and and was in and that is what is used in the unix time sharing name space so conclusions here and it's been almost two decades since name spaces were introduced into linux now does that mean that it's old outmoded and out of date certainly not i mean they are continuing to expand and build and and tweak uh and improve these versions over time so it's really not fair it's really not fair for someone to say to make that claim that name spaces are old out of date and they're they're as good as they need to be that's my point they're as good as they need to be if they need to be made better propose something to the linux foundation and start writing the code and see if they'll take it but it has evolved to eight of them as of the version 5.6 so you can see that and there are more waiting to get in but as you can see it is evolving it is continuing to grow it isn't continuing to improve so i don't agree with that comment that it's old and outdated there are many applications that use namespaces today google chrome uses it and that's to isolate its own processes from from and to reduce the risk of attack from the internet side so and that that's just an example i'm sure there are many many others that use namespaces so anyway that i just wanted to clear up that confusion i know it was a marketing a marketing person that said that uh but anyway um it is not true that is certainly not true and they have been with us a very long time but unfortunately uh programs still need variables they still they still need objects objects take memory and memory locations have to be referenced in some way or fashion so anyway hope you enjoyed this talk today hope to see you all again real soon please like and subscribe and hope to see you again in the next video bye for now you

Info

Channel: DJ Ware

Views: 17,517

Rating: undefined out of 5

Keywords: DJ Ware, CyberGizmo, Docker Containers, Linux Namespaces, Linux Kernel

Id: dunL7EXDRKs

Channel Id: undefined

Length: 21min 13sec (1273 seconds)

Published: Mon Aug 24 2020