Isolating systems with Linux Namespaces

by | Nov 16, 2016

If you’ve used tools like Docker, you already know that these tools are capable of isolating processes in small “containers”. Running processes in Docker containers is like running them in virtual machines, only these containers are significantly lighter than virtual machines.

With the introduction of Linux namespaces, it became possible to have multiple “nested” process trees. Each process tree can have an entirely isolated set of processes. This can ensure that processes belonging to one process tree cannot inspect or kill - in fact cannot even know of the existence of - processes in other sibling or parent process trees. Every time a computer with Linux boots up, it starts with just one process, with process identifier (PID) 1. This process is the root of the process tree, and it initiates the rest of the system by performing the appropriate maintenance work and starting the correct daemons/services.

All the other processes start below this process in the tree. The PID namespace allows one to spin off a new tree, with its own PID 1 process. The process that does this remains in the parent namespace, in the original tree, but makes the child the root of its own process tree.

A network namespace allows each of these processes to see an entirely different set of networking interfaces. Even the loopback interface is different for each network namespace. In order to provide a usable network interface in the child namespace, it is necessary to set up additional “virtual” network interfaces which span multiple namespaces. Linux also maintains a data structure for all the mountpoints of the system. It includes information like what disk partitions are mounted, where they are mounted, whether they are readonly, et cetera.

There are other namespaces that these processes can be isolated into, namely user, IPC, and UTS. The user namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace. Isolating a process by the IPC namespace gives it its own interprocess communication resources, for example, System V IPC and POSIX messages. The UTS namespace isolates two specific identifiers of the system: nodename and domainname.

For more details, please refer to the original article available in Toptal blog.

SHARE

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Recent posts

VDI: The most secure environment for hybrid working

Today is Data Privacy Day. The purpose of this date is to raise awareness and promote privacy and data protection best practices. It was initiated by the European Commission, the Council of Europe, and the Data Protection authorities of the European Union’s member states. Their main goal was to drive attention to the importance of privacy, user data protection, and compliance of the General Data Protection Regulation (RGPD). It is a regulation characterized by significant fines for non-compliance since its implementation in 2018.

How to avoid issues with virtual machines

Virtualization comes with a wide range of benefits for organizations. It helps cut IT costs and reduces downtime while increasing efficiency and productivity. It also increases the resiliency of networks, primarily when disasters occur, and promotes more green-friendly operations.

However, using virtual machines also comes with a set of downsides. Information security may get compromised, workloads mixed up, separation duties lost, among other issues. It is vital to know how you can get over these problems, and that’s what this article will discuss.

Let’s get started.

Archives


Stay up to date with all the news from UDS ENTERPRISE through our social networks. Follow us!

Skip to content