Namespace - overview of Linux namespaces

April 1, 2021 Linux 访问: 34 次

命名空间(namespace)

是 Linux 内核用来隔离内核资源的方式。也相当于对一些资源进行了权限管理。在一个namespace中的进程共享一些资源,而不再一个namespace中则无法访问这些资源

看到这里,觉得和docker有点相似。不错,linux提供的namespace服务为容器的出现和发展提供了基础条件

官方文档:https://man7.org/linux/man-pages/man7/namespaces.7.html

linux 隔离方式


名称        宏定义             隔离内容
Cgroup      CLONE_NEWCGROUP   Cgroup root directory (since Linux 4.6)
IPC         CLONE_NEWIPC      System V IPC, POSIX message queues (since Linux 2.6.19)
Network     CLONE_NEWNET      Network devices, stacks, ports, etc. (since Linux 2.6.24)
Mount       CLONE_NEWNS       Mount points (since Linux 2.4.19)
PID         CLONE_NEWPID      Process IDs (since Linux 2.6.24)
User        CLONE_NEWUSER     User and group IDs (started in Linux 2.6.23 and completed in Linux 3.8)
UTS         CLONE_NEWUTS      Hostname and NIS domain name (since Linux 2.6.19)
  • Cgroup:物理资源namespace
  • IPC:进程间通讯
  • Network:网络空间
  • Mount:文件空间
  • PIC:进程空间
  • User:用户空间
  • UTS:主机名空间

查看进程namespace

❯ ls -al /proc/$$/ns   
总用量 0
dr-x--x--x 2 root root 0 Apr  1 15:50 .
dr-xr-xr-x 9 root root 0 Apr  1 15:43 ..
lrwxrwxrwx 1 root root 0 Apr  1 15:50 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 net -> net:[4026532293]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 pid_for_children -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Apr  1 15:50 uts -> uts:[4026531838]

如果两个进程的某个 namespace 文件指向同一个链接文件,说明其相关资源在同一个 namespace

相关函数

clone、setns、unshare、ioctl

在宿主机中抓取容器中的流量

1、获取某个容器的pid

❯ docker ps
CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS              PORTS                     NAMES
7ea005a0b2fb        hive_agent:3.401.140-120   "/bin/bash /titan/ag…"   5 weeks ago         Up About a minute                             hiveagent
ea9f21f54b50        pwn_awd                    "/run.sh"                5 months ago        Up About an hour    0.0.0.0:10004->9999/tcp   awd

root@ubuntu ~
❯ docker inspect --format "{{.State.Pid}}" awd
5345

2、通过 进入到容器的网络空间

通过前后ip a来查看变化

root@ubuntu ~
❯ ip a                                                                                                                                                               127 ↵
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:bf:dc:a6 brd ff:ff:ff:ff:ff:ff
    inet 10.211.55.9/24 brd 10.211.55.255 scope global dynamic enp0s5
       valid_lft 1676sec preferred_lft 1676sec
    inet6 fdb2:2c26:f4e4:0:8391:699:255e:b634/64 scope global noprefixroute dynamic 
       valid_lft 2591983sec preferred_lft 604783sec
    inet6 fe80::593f:cc6d:4234:e5e6/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:7f:af:0d:34 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:7fff:feaf:d34/64 scope link 
       valid_lft forever preferred_lft forever
5: veth9d533b3@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 66:fb:dd:d0:6d:68 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::64fb:ddff:fed0:6d68/64 scope link 
       valid_lft forever preferred_lft forever

root@ubuntu ~
❯ nsenter -n -t 5345

root@ubuntu ~
❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

root@ubuntu ~

3、tcpdump 抓取流量

tcpdump -vv

添加新评论