Namespaces
From Gentoo Wiki
Linux Namespaces wrap system resources, making processes within that namespace appear to have isolated instances of that resource. Changes can be made within the namespace that will not be visible outside, on the system.
Namespace Types
The following namespaces are available in Linux:
- Cgroup - Provides a new Cgroup root directory for the process.
- IPC - Provides System V IPC and POSIX message queues.
- Network - Isolated network devices, IP stacks, routing tables, firewall rules, used ports, UNIX sockets, and more.
- Mount - Isolated mount records for the process, providing distinct single-directory hierarchies.
- PID - Provides a new PID tree, starting at 1 like a typical Linux system.
- Time - Provides 2 virtual clocks for the process:
CLOCK_MONOTONIC
, andCLOCK_BOOTTIME
. - User - Provides isolated user security identifiers and attributes, such as: UIDs, GIDs, keyrings, capabilities.
- UTS - Isolates the process' hostname and NIS domain name using sethostname and setdomainname.
Tip
For each namespace type, there is a man page, ex: man mount_namespaces or man user_namespaces.
For each namespace type, there is a man page, ex: man mount_namespaces or man user_namespaces.
Interacting with Namespaces
Creating a new namespace
To create a new user namespace, mapped to the root user and group within the namespace:
user $
unshare --map-auto -S 0 -G 0
Entering an existing namespace
If a process is already running in a namespace, nsenter can be used to interact with it.
To get root user context within a namespace running on PID 12345:
user $
nsenter --target 12345 --setuid 0 --setgid 0 --user
Tip
A command can be specified with nsenter, but if one is not specified, it will start a shell specified by ${SHELL}.
A command can be specified with nsenter, but if one is not specified, it will start a shell specified by ${SHELL}.