[Cloud native • Docker] Docker core UTS Namespace principle practice
[Cloud native • Docker] Docker core UTS Namespace principle practice
Docker
The core technologies of the three pillars: Namespace
, Cgroups
and UnionFS
, this section provides UTS Namespace
a more intuitive understanding of resource isolation technology through a simple practical case Namespace
.
UTS Namespace
Mainly used to isolate hostnames and domain names, it allows each UTS Namespace
to have an independent hostname. For example, our host name is VM-4-14-centos
, and the host name in the container UTS Namespace
can container-docker
or any other custom host name.
UTS Namespace case practice
Before proceeding with UTS Namespace
the case practice, let's first understand a key command: unshare, run some programs that do not share some namespaces with the parent.
root@node3:~# unshare --help
Usage:
unshare [options] <program> [<argument>...]
Run a program with some namespaces unshared from the parent.
Options:
-h,--help
显示帮助文本并退出。
-i,-- ipc 取消共享IPC名称空间。
-m,-- mount 取消共享安装名称空间。
-n,-- net 取消共享网络名称空间。
-p,-- pid 取消共享pid名称空间。另请参见--fork和--mount-proc选项。
-u,-- uts 取消共享UTS名称空间。
-U,--user 取消共享用户名称空间。
-f,-将指定程序fork为取消共享的子进程,而不是直接运行它。这在创建新的pid命名空间时很有用。
--mount-proc [=mountpoint]在运行程序之前,将proc文件系统挂载到mountpoint (默认为/ proc)。这在创建新的pid名称空间时很有用。这也意味着创建一个新的挂载名称空间,因为/ proc挂载否则会破坏系统上的现有程序。新的proc文件系统显式安装为私有文件(由MS_PRIVATE | MS_REC)。
-r,-- map-root-user 仅在当前有效的用户和组ID已映射到新创建的用户名称空间中的超级用户UID和GID之后,才运行该程序。这样即使在没有特权的情况下运行,也可以方便地获得管理新创建的名称空间各个方面所需的功能(例如,在网络名称空间中配置接口或在安装名称空间中安装文件系统)。仅作为一项便利功能,它不支持更复杂的用例,例如映射多个范围的UID和GID。
We use an example to verify the role UTS Namespace
of .
1. First we use unshare
the command to create aUTS Namespace
# unshare --uts --fork /bin/bash
UTS Namespace
After it is created , the information is listed undershell
the host machine , and you will find that the last item is that we created a type using :lsns
namespace
unshare
uts
namespace
2. Go back to uts
the namespace shell
in the previous step, and use hostname
the command to set the host name:
[root@VM-4-14-centos ~]# hostname
VM-4-14-centos
[root@VM-4-14-centos ~]# hostname -b container-docker
[root@VM-4-14-centos ~]# hostname
container-docker
Through the output of the above command, we can see that the hostname in the UTS Namespace
current has been changed to container-docker
.
3. Go back shell
to the host machine and check the host’s hostname
:
[root@VM-4-14-centos ~]# hostname
VM-4-14-centos
It can be seen that the name of the host is still VM-4-14-centos
, and has not been modified. This is the use of UTS Namespace
technology to realize the host name isolation function.
Docker principle verification
1. docker run
Create and run a Docker
container using:
[root@VM-4-14-centos ~]# docker run -d --name test-nginx --hostname docker-nginx nginx
0fd5ec42923553ec2600c51ef4f119e4025ebf5adf13561b0e847cd816f332b7
[root@VM-4-14-centos ~]# docker exec -it 0fd sh
# hostname
docker-nginx
–hostname specifies the hostname of the docker container, above specifies –hostname docker-nginx, enters the docker container through the docker exec command, and uses hostname to check that the hostname of the Docker container has been correctly modified.
2. View the host PID
information corresponding to the newly created Docker container:
[root@VM-4-14-centos ~]# docker inspect -f {
{.State.Pid}} test-nginx
29424
Or lsns
you can also view the Docker container Namespace information we just created through the command:
3. shell
Use nsenter
the command under the host machine to enter the same Namespace as the Docker container:
[root@VM-4-14-centos ~]# nsenter -t 29424 -u -n
illustrate:
- -t: Specify the pid of the target process that is entered into the namespace, that is, specify the corresponding pid of the Docker container on the host machine;
- -u: enter the uts command space;
- -n: Enter the net command space.
nsenter: A command that can run a specified program in the command space of a specified process.
There are many images that do not have bash inside, so our docker exec cannot enter the container. If you want to check the situation in the container at this time, you only need to find a way to join the namespace corresponding to the container. We can use the nsenter tool to achieve this. After the tool is started, it will add itself to the specified namespace, and then exec executes the program we specified (usually bash).
This command may be commonly used in container network debugging. For example, in some containers without network debugging tools (
ip address
,ping
,telnet
,ss
, ), use the commands on the host machine to debug the network connectivity in the container, etc.tcpdump
4. Use hostname
and ip addr
verify, and the Docker container is the same UTS Namespace
and Network Namespace
under:
[root@docker-nginx ~]# hostname
docker-nginx
[root@docker-nginx ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
40: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever