Linux Namespaces

Starting from kernel 2.6.24, there are 6 different types of Linux namespaces. Namespaces are useful in isolating processes from the rest of the system, without needing to use full low level virtualization technology. CLONE_NEWIPC: IPC Namespaces: SystemV IPC and POSIX Message Queues can be isolated. CLONE_NEWPID: PID Namespaces: PIDs are isolated, meaning that a PID inside of the namespace can conflict with a PID outside of the namespace. PIDs inside the namespace will be mapped to other PIDs outside of the namespace. The first PID inside the namespace will be ‘1’ which outside of the namespace is assigned to init CLONE_NEWNET: Network Namespaces: Networking (/proc/net, IPs, interfaces and routes) are isolated. Services can be run on the same ports within namespaces, and “duplicate” virtual interfaces can be created. CLONE_NEWNS: Mount Namespaces. We have the ability to isolate mount points as they appear to processes. Using mount namespaces, we can achieve similar functionality to chroot() however with improved security. CLONE_NEWUTS: UTS Namespaces. This namespaces primary purpose is to isolate the hostname and NIS name. CLONE_NEWUSER: User Namespaces. Here, user and group IDs are different inside and outside of namespaces and can be duplicated. Let’s look first at the structure of a C program, required to demonstrate process namespaces. The following has been tested on Debian 6 and 7. First, we need to allocate a page of memory on the stack, and set a pointer to the end of that memory page. We use alloca to allocate stack memory rather than malloc which would allocate memory on the heap. void *mem = alloca(sysconf(_SC_PAGESIZE)) + sysconf(_SC_PAGESIZE); Next, we use clone to create a child process, passing the location of our child stack ‘mem’, as well as the required flags to specify a new namespace. We specify ‘callee’ as the function to execute within the child space: mypid = clone(callee, mem, SIGCHLD | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | CLONE_FILES, NULL); After calling clone we then wait for the child process to finish, before terminating the parent. If not, the parent execution flow will continue and terminate immediately after, clearing up the child with it: while (waitpid(mypid, &r, 0) < 0 && errno == EINTR) { continue; } Lastly, we’ll return to the shell with the exit code of the child: if (WIFEXITED(r)) { return WEXITSTATUS(r); } return EXIT_FAILURE; Now, let’s look at the callee function: static int callee() { int ret; mount("proc", "/proc", "proc", 0, ""); setgid(u); setgroups(0, NULL); setuid(u); ret = execl("/bin/bash", "/bin/bash", NULL); return ret; } Here, we mount a /proc filesystem, and then set the uid (User ID) and gid (Group ID) to the value of ‘u’ before spawning the /bin/bash shell. […]

By | November 23rd, 2014|BASH, C/C++, Linux, Networking, Security Consultant|1 Comment

Debian Wheezy Xen + Guest Howto

Xen is usually my go to virtualization technology for Linux. Here’s a HOWTO on setting up Xen on Debian Wheezy and the first guest virtual machine. First step is getting the required packages: apt-get install xen-linux-system xen-tools xen-utils-4.1 xen-utils-common xenstore-utils xenwatch Now, we’ll need to specify the Xen kernel as the default boot kernel on the host, and then reboot: […]

By | October 8th, 2014|Linux, Networking, VPS|0 Comments

Linux virtualization, vmware, xen, hosting, and squeezing the most out of your resources

I’d guess that 90% of hosting providers ‘oversell’. This essentially means that should they have 1,000GB allocated, they might offer 15 packages of 100Gb to 15 of their customers, banking on the fact that no one will fully use their 100GB allocation – Selling 5 Virtual Machines with 256MB RAM on a 1GB host, assuming that no one will use their full RAM allocation. This is bad, because you’ll generally be able to confirm that you’ve been allocated the resources, but nonetheless benchmark tests will show that you’re just not getting them, and your environment will be sluggish and unresponsive. This is the same as airlines selling 110 seats on a 100 seat plane. When that 101st paying customer does show up to claim his seat, he’s stuck without a flight. The general consensus is that a VPS is a cheaper and lower-grade option than a dedicated service, however VPSs have a number of indisputable advantages over dedicated servers and I’m going to discuss why almost all the dedicated machines I manage are hosts for a range of VPSs. […]

By | September 14th, 2008|Hardware, Internetworking & Routing, Linux, Technology|1 Comment