Namespaces and Cgroups

Abhishek Amralkar
4 min readDec 11, 2023

--

Photo by Ian Taylor on Unsplash

Namespaces are Linux kernel features that logically partition the resources such that 1 set of processes sees 1 set of resources and another set of processes sees another set of resources.

  1. UTS:

Unix Time Sharing namespace allows us to set the hostname

sudo unshare --uts sh

❯ sudo unshare --uts sh
# hostname
bhisma
# hostname demo-uts
# hostname
demo-uts
# exit
❯ hostname
bhisma

unshare is the command we can use to create a namespace, in the above example I created a new uts namespace and it inherited the hostname from the host, later I changed it.

2. PID:

Process ID namespace allows the user to create a Process isolation. Each process in a `unix-like` operating system gets a numeric identifier called a PID (Process Identifier) and each PID is unique and each PID is tracked in a pseudo-filesystem called /proc files. The main process gets PID 1.

# Create new directory
mkdir pid-demo
# Download minimal roofs
curl http://dl-cdn.alpinelinux.org/alpine/v3.18/releases/x86_64/alpine-minirootfs-3.18.4-x86_64.tar.gz | tar -xz -C pid_demo

# Create a PID namespace using minimal rootfs
sudo unshare --pid --fork chroot pid-demo sh
sleep 100

# In new tab check process on host
ps -C sleep

PID TTY TIME CMD
77086 pts/2 00:00:00 sleep

❯ ls -l /proc/77086/root
lrwxrwxrwx 1 root root 0 Nov 27 21:42 /proc/77086/root -> /pid-demo

The above example shows that the sleep process has access to other filesystems.

3. mount:

The Mount namespace is used to isolate the mount points. Any process running should only see its mount points.

sudo unshare sh
mount --bind pid-demo mount-demo

4. network:

Network namespaces can be used to virtualize the network stack. Each network namespace contains its resource properties within /proc/net. Furthermore, a network namespace contains only a loopback interface on initial creation.

Every network interface (physical or virtual) is present once per namespace. An interface may be moved between namespaces. Each namespace contains a private set of IP addresses, its routing table, socket listing, connection tracking table, firewall, and other network-related resources.

Destroying a network namespace destroys any virtual and moves any physical interfaces back to the initial network namespace.

To create a network namespace we can use ip command

ip netns add n1
ip netns add n2

# to list
ip netns list
n2
n1
  • Create VETH(Virtual Ethernet) pair
ip link add veth0 type veth peer name veth1

We created a pair of veth pair veth0 and veth1 . The veth0 the end will be associated to n1 and veth1 the end will be associated to n2 .

ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
link/ether b8:81:98:5a:fc:0d brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:b6:cf:34:85 brd ff:ff:ff:ff:ff:ff
4: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether ba:4a:3b:34:f7:19 brd ff:ff:ff:ff:ff:ff
5: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether a2:99:b4:01:22:26 brd ff:ff:ff:ff:ff:ff

Check lines 4 and 5 for veth the pair, currently the state is `down`

  • Activate the veth in the namespace
sudo ip link set veth0 netns n1
sudo ip link set veth1 netns n2
  • Assign IP Adress
sudo ip netns exec n1 ip a

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: veth0@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
sudo ip netns exec n1 ip addr add 10.0.0.1/24 dev veth0 && sudo ip netns exec n1 ip link set dev veth0 up
sudo ip netns exec n2 ip addr add 10.0.0.2/24 dev veth1 && sudo ip netns exec n2 ip link set dev veth1 up
  • Verify IP
ip netns exec n1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: veth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a2:99:b4:01:22:26 brd ff:ff:ff:ff:ff:ff link-netns n2
inet 10.0.0.1/24 scope global veth0
valid_lft forever preferred_lft forever
inet6 fe80::a099:b4ff:fe01:2226/64 scope link
valid_lft forever preferred_lft forever
  • Check connectivity
sudo ip netns exec n1 bash

in another terminal

sudo ip netns exec n2 bash

5. IPC:

Inter-Process communication provides separation isolation for process communication mechanisms such as semaphores, message queues, and shared memory segments.

ipcs -m

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 65550 anayamralk 600 524288 2 dest
0x00000000 65562 aaa 600 524288 2 dest
0x00000000 32820 aaa 600 4194304 2 dest
0x00000000 622655 aaa 600 67108864 2 dest

6. Cgroups:

Control Groups is a Linux Kernel feature that limits, and accounts for isolating resource usage like processor time, number of processes per group, amount of memory per control group, or combination of such resources for a process or set of processes. Cgroups are organized hierarchically.

To check enabled Cgroups

cat /proc/cgroups

#subsys_name hierarchy num_cgroups enabled
cpuset 0 332 1
cpu 0 332 1
cpuacct 0 332 1
blkio 0 332 1
memory 0 332 1
devices 0 332 1
freezer 0 332 1
net_cls 0 332 1
perf_event 0 332 1
net_prio 0 332 1
hugetlb 0 332 1
pids 0 332 1
rdma 0 332 1
misc 0 332 1

7. User:

User namespace is a Linux kernel feature that provides isolation of user and group ID mappings, which allows each user namespace to have its own set of user and group ID’s.

unshare -Ur /bin/bash
root@bhisma:~# whoami
root

--

--