Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.


HPR2934: Server Basics 106: Namespaces and containers

Hosted by Klaatu on 2019-10-31 00:00:00
Download or Listen

Namespaces provide context and constraints for processes on a Linux system. They are utilised by the infrastructure of "the cloud" to create distinct "containers", in which processes may run without awareness of the system they are actually running upon.


// prove you are not running some process

$ pidof tcsh
// nothing

$ sudo pidof tcsh
// nothing

// launch tcsh in a new namespace with unshare:

$ sudo unshare --fork --pid --mount-proc tcsh

// from within that session:

# pidof tcsh
1

// wait what??
// yes tcsh is the first pid of its own namespace

// from another term
$ ps 1
init

$ pidof tcsh
26814

// from inside the namespace, pid is seen as 1
// from outside, pid is normal

$ ps tree | less
// search for tcsh

// See evidence of namespaces:

$ ls /proc/*/ns

$ ls /proc/26814/ns
ipc net pid user uts [...]

To see this in action for a slightly more pragmatic purpose, you can use the lxc command. The LXC system uses namespaces and cgroups to create functional containers that act, more or less, like a Virtual Machine, except that they are built in containers so that they do not have to emulate hardware.

If your system doesn't have LXC installed, first install it:


$ sudo dnf install lxc lxc-templates lxc-doc

// on Ubuntu or Debian:

$ apt install lxc

You also need to create a network bridge so that your container and your host system (that's the computer you're sitting in front of right now) can communicate.


$ sudo ip link add br0 type bridge
$ sudo ip addr show br0
7: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc
   noop state DOWN group default qlen 1000
   link/ether 26:fa:21:5f:cf:99 brd ff:ff:ff:ff:ff:ff

Now give your bridge device an IP address that doesn't conflict with any existing IP address on your network:


$ sudo ip addr add 192.168.168.168 dev br0
$ sudo ip link set br0 up

Create a configuration for your container. You can base this on the samples provided by lxc (located in /usr/share/docs/lxc or similar). Everything but veth, br0, and up is arbitrary. You can make up all the values.


lxc.utsname = hackerpublicradio
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 4a:49:43:49:79:bd
lxc.network.ipv4 = 192.168.168.1/24
lxc.network.ipv6 = 2003:db8:1:0:214:c0ff:ee0b:3596

Now install an OS into your container. OS templates are provided by LXC in /usr/share/doc/lxc/templates or a similar location.


$ ls -m /usr/share/lxc/templates/
lxc-alpine, lxc-altlinux, lxc-archlinux, lxc-busybox, lxc-centos [...]

Choose a template and install. I use Alpine in the recorded show, because it's supposed to be really small. I don't necessarily recommend Alpine. I recommend Slackware, of course.


$ sudo lxc-create --name slackware --template slackware

Once the install is done, start your container:


$ sudo lxc-start --name slackware
--rcfile ~/mycontainer.conf

Now attach to the container:


$ sudo lxc-attach --name slackware
#

Run a command.


# uname -av
Linux hackerpublicradio 5.3.0.x86_64 #1 SMP Wed Oct 10 18:34:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

This is the technology that Docker and OCI projects use to create containers. And when a bunch of containers start swarming around on a bunch of hosts, you eventually end up with a cloud. How do you manage all of these things? That will be the topic for the next entry in this series, I'll bet.

Comments



More Information...


Copyright Information

Unless otherwise stated, our shows are released under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license.

The HPR Website Design is released to the Public Domain.