namespace of linux code

Others 2021-03-02 22:02:52 views: null

/*
 * 2020/12/15 11:58 yin
 *
 * namespace is a feature provided by the linux kernel, born for virtualization
 */


/*
 * nsproxy
 */

struct nsproxy {
    atomic_t count;
    struct uts_namespace *uts_ns;
    struct ipc_namespace *ipc_ns;
    struct mnt_namespace *mnt_ns;
    struct pid_namespace *pid_ns_for_children;
    struct net          *net_ns;
    struct cgroup_namespace *cgroup_ns;
};
extern struct nsproxy init_nsproxy;


/*
 * namespace
 */

    Mechanism provides a solution for resource isolation

    Namespace is a kind of encapsulation and isolation of global system resources, so that processes in different namespaces have independent global system resources.
    Changing the system resources in a namespace will only affect the processes in the current namespace, and has no effect on processes in other namespaces.

    cat /proc/[pid]/ns

    There are currently 7 namespaces implemented and supported in the Linux kernel

    Name Definition Description

    Cgroup        CLONE_NEWCGROUP            Cgroup root directory ( Linux 4.6)

    IPC CLONE_NEWIPC isolates inter-process communication (Linux 2.6.19)

    Network CLONE_NEWNET isolate network resources (Linux 2.6.24)

    Mount CLONE_NEWNS isolated file system mount point (Linux 2.4.19)

    PID CLONE_NEWPID Isolation process ID (Linux 2.6.24)

    User CLONE_NEWUSER Isolate user and user group ID (started in Linux 2.6.23 and completed in Linux 3.8)

    UTS CLONE_NEWUTS (UNIX Time-sharing System) namespace provides the isolation of host name and domain name
                                        to enable child processes to have independent host names and domain names (hostname). This feature is used in Docker container technology,
                                        making docker containers on the network Treated as an independent node, not just a process on the host.

/*
 * PID Namespace
 */
    The system call to create a process in a Linux system is clone()

    int pid = clone(main_function, stack_size, SIGCHLD, NULL);

    This system call will create a new process for us and return its process number pid.

    When we create a new process with the clone() system call, we can specify the CLONE_NEWPID parameter in the parameter, such as:

    int pid = clone(main_function, stack_size, CLONE_NEWPID | SIGCHLD, NULL);

    At this time, the newly created process will "see" a brand new process space in which its PID is 1.


/*
 * Docker
 */
    Docker uses the UTS namespace principle, each image can name the hostname of the image with the service name provided by itself, and will not have any impact on the host,
    thereby achieving the isolation effect of the host name and domain name.

    Namespace is a feature provided by the linux kernel, born for virtualization. With the birth of docker, the container technology has been detonated, and the namespace technology that has been silently dedicated for a long time in the background has also been pushed to everyone.


/*
 * UTS Namespace
 */

    UTS Namespace provides the isolation of host name and domain name, that is, the two fields of nodename and domainname in struct utsname. There can be independent host names and domain names in different Namespaces.

    So why do you need to isolate the host name and domain name? Because host names and domain names can be used instead of IP addresses, without this layer of isolation, network access to different containers on the same host may cause problems.


/*
 * IPC Namespace
 */
    IPC Namespace is the isolation of inter-process communication. Common methods of inter-process communication include semaphores, message queues and shared memory.
    
    IPC Namespace is mainly aimed at SystemV IPC and Posix message queues. These IPC mechanisms will use identifiers, such as using identifiers to distinguish different message queues.

    The goal of IPC Namespace is that the same identifier represents different communication media (such as semaphores, message queues, and shared memory) in different Namepspaces.


/*
 * API
 */
    /* Create a new process and put it in the new namespace*/
    int clone(int (*child_func)(void *), void *child_stack, int flags, void *arg);

    /* Add the current process to the existing namespace*/
    int setns(int fd, int nstype);

    /* Make the current process exit the specified type of namespace and add it to the newly created namespace (equivalent to creating and adding a new namespace) */
    int unshare(int flags);

    /* The difference between clone and unshare*/
    Both are to create and add a new namespace, the difference is:
    unshare is to make the current process join the new namespace,
    clone is to create a new child process, and then let the child process join the new namespace, While the current process remains unchanged
        

 

Guess you like

Origin blog.csdn.net/xiaozhiwise/article/details/111213620
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com