[Cloud native • Docker] Docker core UTS Namespace principle practice

[Cloud native • Docker] Docker core UTS Namespace principle practice

DockerThe core technologies of the three pillars: Namespace, Cgroupsand UnionFS, this section provides UTS Namespacea more intuitive understanding of resource isolation technology through a simple practical case Namespace.

UTS NamespaceMainly used to isolate hostnames and domain names, it allows each UTS Namespaceto have an independent hostname. For example, our host name is VM-4-14-centos, and the host name in the container UTS Namespacecan container-dockeror any other custom host name.

UTS Namespace case practice

Before proceeding with UTS Namespacethe case practice, let's first understand a key command: unshare, run some programs that do not share some namespaces with the parent.

root@node3:~# unshare --help
Usage:
 unshare [options] <program> [<argument>...]

Run a program with some namespaces unshared from the parent.

Options:
-h，--help
显示帮助文本并退出。
-i，-- ipc 取消共享IPC名称空间。
-m，-- mount 取消共享安装名称空间。
-n，-- net 取消共享网络名称空间。
-p，-- pid 取消共享pid名称空间。另请参见--fork和--mount-proc选项。
-u，-- uts 取消共享UTS名称空间。
-U，--user 取消共享用户名称空间。
-f，-将指定程序fork为取消共享的子进程，而不是直接运行它。这在创建新的pid命名空间时很有用。
--mount-proc [=mountpoint]在运行程序之前，将proc文件系统挂载到mountpoint （默认为/ proc）。这在创建新的pid名称空间时很有用。这也意味着创建一个新的挂载名称空间，因为/ proc挂载否则会破坏系统上的现有程序。新的proc文件系统显式安装为私有文件（由MS_PRIVATE | MS_REC）。
-r，-- map-root-user 仅在当前有效的用户和组ID已映射到新创建的用户名称空间中的超级用户UID和GID之后，才运行该程序。这样即使在没有特权的情况下运行，也可以方便地获得管理新创建的名称空间各个方面所需的功能（例如，在网络名称空间中配置接口或在安装名称空间中安装文件系统）。仅作为一项便利功能，它不支持更复杂的用例，例如映射多个范围的UID和GID。

We use an example to verify the role UTS Namespaceof .

1. First we use unsharethe command to create aUTS Namespace

# unshare --uts --fork /bin/bash

UTS NamespaceAfter it is created , the information is listed undershell the host machine , and you will find that the last item is that we created a type using :lsnsnamespaceunshareutsnamespace

2. Go back to utsthe namespace shellin the previous step, and use hostnamethe command to set the host name:

[root@VM-4-14-centos ~]# hostname
VM-4-14-centos
[root@VM-4-14-centos ~]# hostname -b container-docker
[root@VM-4-14-centos ~]# hostname
container-docker

Through the output of the above command, we can see that the hostname in the UTS Namespacecurrent has been changed to container-docker.

3. Go back shellto the host machine and check the host’s hostname:

[root@VM-4-14-centos ~]# hostname
VM-4-14-centos

It can be seen that the name of the host is still VM-4-14-centos, and has not been modified. This is the use of UTS Namespacetechnology to realize the host name isolation function.

Docker principle verification

1. docker runCreate and run a Dockercontainer using:

[root@VM-4-14-centos ~]# docker run -d --name test-nginx --hostname docker-nginx nginx
0fd5ec42923553ec2600c51ef4f119e4025ebf5adf13561b0e847cd816f332b7
[root@VM-4-14-centos ~]# docker exec -it 0fd sh
# hostname
docker-nginx

–hostname specifies the hostname of the docker container, above specifies –hostname docker-nginx, enters the docker container through the docker exec command, and uses hostname to check that the hostname of the Docker container has been correctly modified.

2. View the host PIDinformation corresponding to the newly created Docker container:

[root@VM-4-14-centos ~]# docker inspect -f {
    
    {.State.Pid}} test-nginx
29424

Or lsnsyou can also view the Docker container Namespace information we just created through the command:

3. shellUse nsenterthe command under the host machine to enter the same Namespace as the Docker container:

[root@VM-4-14-centos ~]# nsenter -t 29424 -u -n

illustrate:

1. -t: Specify the pid of the target process that is entered into the namespace, that is, specify the corresponding pid of the Docker container on the host machine;
2. -u: enter the uts command space;
3. -n: Enter the net command space.

nsenter: A command that can run a specified program in the command space of a specified process.

There are many images that do not have bash inside, so our docker exec cannot enter the container. If you want to check the situation in the container at this time, you only need to find a way to join the namespace corresponding to the container. We can use the nsenter tool to achieve this. After the tool is started, it will add itself to the specified namespace, and then exec executes the program we specified (usually bash).

This command may be commonly used in container network debugging. For example, in some containers without network debugging tools ( ip address, ping, telnet, ss, ), use the commands on the host machine to debug the network connectivity in the container, etc.tcpdump

4. Use hostnameand ip addrverify, and the Docker container is the same UTS Namespaceand Network Namespaceunder:

[root@docker-nginx ~]# hostname
docker-nginx
[root@docker-nginx ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
40: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever