From Gentoo Wiki
Jump to:navigation Jump to:search

Linux Namespaces wrap system resources, making processes within that namespace appear to have isolated instances of that resource. Changes can be made within the namespace that will not be visible outside, on the system.

Namespace Types

The following namespaces are available in Linux:

  • Cgroup - Provides a new Cgroup root directory for the process.
  • IPC - Provides System V IPC and POSIX message queues.
  • Network - Isolated network devices, IP stacks, routing tables, firewall rules, used ports, UNIX sockets, and more.
  • Mount - Isolated mount records for the process, providing distinct single-directory hierarchies.
  • PID - Provides a new PID tree, starting at 1 like a typical Linux system.
  • Time - Provides 2 virtual clocks for the process: CLOCK_MONOTONIC, and CLOCK_BOOTTIME.
  • User - Provides isolated user security identifiers and attributes, such as: UIDs, GIDs, keyrings, capabilities.
  • UTS - Isolates the process' hostname and NIS domain name using sethostname and setdomainname.
For each namespace type, there is a man page, ex: man mount_namespaces or man user_namespaces.

Interacting with Namespaces

Creating a new namespace

To create a new user namespace, mapped to the root user and group within the namespace:

user $unshare --map-auto -S 0 -G 0

Entering an existing namespace

If a process is already running in a namespace, nsenter can be used to interact with it.

To get root user context within a namespace running on PID 12345:

user $nsenter --target 12345 --setuid 0 --setgid 0 --user
A command can be specified with nsenter, but if one is not specified, it will start a shell specified by ${SHELL}.