lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <53F5315D.6090003@gmail.com>
Date:	Wed, 20 Aug 2014 18:38:05 -0500
From:	"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
CC:	mtk.manpages@...il.com, containers@...ts.linux-foundation.org,
	lkml <linux-kernel@...r.kernel.org>,
	"linux-man@...r.kernel.org" <linux-man@...r.kernel.org>,
	Andy Lutomirski <luto@...capital.net>,
	"Serge E. Hallyn" <serge@...lyn.com>, richard.weinberger@...il.com
Subject: For review: namespaces(7) man page

Hello Eric et al.

Here is the current draft of the namespaces(7) man page, which
gives an overview of namespaces and the namespaces API. The rendered
version is below, and the source is attached.

Review comments/suggestions for improvements / bug fixes welcome.

Cheers,

Michael

==

NAME
       namespaces - overview of Linux namespaces

DESCRIPTION
       A namespace wraps a global system resource in an abstraction that
       makes it appear to the processes within the namespace  that  they
       have their own isolated instance of the global resource.  Changes
       to the global resource are visible to other  processes  that  are
       members  of  the namespace, but are invisible to other processes.
       One use of namespaces is to implement containers.

       Linux provides the following namespaces:

       Namespace   Constant        Isolates
       IPC         CLONE_IPC       System V IPC, POSIX mesage queues
       Network     CLONE_NEWNET    Network devices, stacks, ports, etc.
       Mount       CLONE_NEWNS     Mount points
       PID         CLONE_NEWPID    Process IDs
       User        CLONE_NEWUSER   User and group IDs
       UTS         CLONE_NEWUTS    Hostname and NIS domain name

       This page describes the various  namespaces  and  the  associated
       /proc files, and summarizes the APIs for working with namespaces.

   The namespaces API
       As  well  as  various /proc files described below, the namespaces
       API includes the following system calls:

       clone(2)
              The clone(2) system call creates a new  process.   If  the
              flags  argument  of  the call specifies one or more of the
              CLONE_NEW* flags listed below,  then  new  namespaces  are
              created  for  each  flag,  and the child process is made a
              member of those namespaces.  (This system call also imple‐
              ments a number of features unrelated to namespaces.)

       setns(2)
              The  setns(2)  system  call  allows the calling process to
              join an existing namespace.   The  namespace  to  join  is
              specified  via a file descriptor that refers to one of the
              /proc/[pid]/ns files described below.

       unshare(2)
              The unshare(2) system call moves the calling process to  a
              new  namespace.   If the flags argument of the call speci‐
              fies one or more of the  CLONE_NEW*  flags  listed  below,
              then  new  namespaces  are  created for each flag, and the
              calling process is made  a  member  of  those  namespaces.
              (This  system  call  also  implements a number of features
              unrelated to namespaces.)

       Creation of new namespaces using clone(2) and unshare(2) in  most
       cases requires the CAP_SYS_ADMIN capability.  User namespaces are
       the exception: since Linux 3.8, no privilege is required to  cre‐
       ate a user namespace.

   The /proc/[pid]/ns/ directory
       Each  process  has  a /proc/[pid]/ns/ subdirectory containing one
       entry for each  namespace  that  supports  being  manipulated  by
       setns(2):

           $ ls -l /proc/$$/ns
           total 0
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -> ipc:[4026531839]
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -> mnt:[4026531840]
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -> net:[4026531956]
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -> pid:[4026531836]
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -> user:[4026531837]
           lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -> uts:[4026531838]

       Bind  mounting  (see mount(2)) one of the files in this directory
       to somewhere else  in  the  filesystem  keeps  the  corresponding
       namespace  of the process specified by pid alive even if all pro‐
       cesses currently in the namespace terminate.

       Opening one of the files in this directory (or  a  file  that  is
       bind mounted to one of these files) returns a file handle for the
       corresponding namespace of the process specified by pid.  As long
       as  this  file descriptor remains open, the namespace will remain
       alive, even if all processes in  the  namespace  terminate.   The
       file descriptor can be passed to setns(2).

       In Linux 3.7 and earlier, these files were visible as hard links.
       Since Linux 3.8, they appear as symbolic links.  If two processes
       are  in  the  same  namespace,  then  the  inode numbers of their
       /proc/[pid]/ns/xxx symbolic links will be the same;  an  applica‐
       tion  can  check  this  using  the  stat.st_ino field returned by
       stat(2).  The content of this symbolic link is a string  contain‐
       ing the namespace type and inode number as in the following exam‐
       ple:

           $ readlink /proc/$$/ns/uts
           uts:[4026531838]

       The files in this subdirectory are as follows:

       /proc/[pid]/ns/ipc (since Linux 3.0)
              This file is  a  handle  for  the  IPC  namespace  of  the
              process.

       /proc/[pid]/ns/mnt (since Linux 3.8)
              This  file  is  a  handle  for  the mount namespace of the
              process.

       /proc/[pid]/ns/net (since Linux 3.0)
              This file is a handle for the  network  namespace  of  the
              process.

       /proc/[pid]/ns/pid (since Linux 3.8)
              This  file  is  a  handle  for  the  PID  namespace of the
              process.

       /proc/[pid]/ns/user (since Linux 3.8)
              This file is a  handle  for  the  user  namespace  of  the
              process.

       /proc/[pid]/ns/uts (since Linux 3.0)
              This  file  is  a  handle  for  the  IPC  namespace of the
              process.

   IPC namespaces (CLONE_NEWIPC)
       IPC namespaces isolate certain IPC resources,  namely,  System  V
       IPC objects (see svipc(7)) and (since Linux 2.6.30) POSIX message
       queues (see mq_overview(7).  The common characteristic  of  these
       IPC  mechanisms  is that IPC objects are identified by mechanisms
       other than filesystem pathnames.

       Each IPC namespace has its own set of System  V  IPC  identifiers
       and  its  own POSIX message queue filesystem.  Objects created in
       an IPC namespace are visible to all other processes that are mem‐
       bers of that namespace, but are not visible to processes in other
       IPC namespaces.

       The following /proc interfaces are distinct in  each  IPC  names‐
       pace:

       *  The POSIX message queue interfaces in /proc/sys/fs/mqueue.

       *  The  System V IPC interfaces in /proc/sys/kernel, namely: msg‐
          max,  msgmnb,  msgmni,  sem,  shmall,  shmmax,   shmmni,   and
          shm_rmid_forced.

       *  The System V IPC interfaces in /proc/sysvipc.

       When  an  IPC namespace is destroyed (i.e., when the last process
       that is a member of the namespace terminates), all IPC objects in
       the namespace are automatically destroyed.

       Use  of  IPC namespaces requires a kernel that is configured with
       the CONFIG_IPC_NS option.

   Network namespaces (CLONE_NEWNET)
       Network namespaces provide  isolation  of  the  system  resources
       associated with networking: network devices, IPv4 and IPv6 proto‐
       col stacks, IP routing tables, firewalls,  the  /proc/net  direc‐
       tory,  the  /sys/class/net directory, port numbers (sockets), and
       so on.  A physical network device can live in exactly one network
       namespace.   A  virtual  network  device ("veth") pair provides a
       pipe-like abstraction that can be used to create tunnels  between
       network namespaces, and can be used to create a bridge to a phys‐
       ical network device in another namespace.

       When a network namespace is freed (i.e., when the last process in
       the namespace terminates), its physical network devices are moved
       back to the initial network namespace (not to the parent  of  the
       process).

       Use  of  network  namespaces requires a kernel that is configured
       with the CONFIG_NET_NS option.

   Mount namespaces (CLONE_NEWNS)
       Mount namespaces isolate the  set  of  filesystem  mount  points,
       meaning  that  processes  in  different mount namespaces can have
       different views of the filesystem hierarchy.  The set  of  mounts
       in a mount namespace is modified using mount(2) and umount(2).

       The  /proc/[pid]/mounts  file  (present since Linux 2.4.19) lists
       all the filesystems currently  mounted  in  the  process's  mount
       namespace.   The  format  of this file is documented in fstab(5).
       Since kernel version 2.6.15, this file is pollable: after opening
       the  file  for reading, a change in this file (i.e., a filesystem
       mount or unmount) causes select(2) to mark the file descriptor as
       readable,  and  poll(2) and epoll_wait(2) mark the file as having
       an error condition.

       The /proc/[pid]/mountstats  file  (present  since  Linux  2.6.17)
       exports information (statistics, configuration information) about
       the mount points in the process's mount namespace.  This file  is
       only  readable  by  the owner of the process.  Lines in this file
       have the form:

            device /dev/sda7 mounted on /home with fstype ext3 [statistics]
            (       1      )            ( 2 )             (3 ) (4)

              The fields in each line are:

              (1)  The name of the  mounted  device  (or  "nodevice"  if
                   there is no corresponding device).

              (2)  The mount point within the filesystem tree.

              (3)  The filesystem type.

              (4)  Optional  statistics  and  configuration information.
                   Currently (as at Linux 2.6.26), only NFS  filesystems
                   export information via this field.

   PID namespaces (CLONE_NEWPID)
       See pid_namespaces(7).

   User namespaces (CLONE_NEWUSER)
       See user_namespaces(7).

   UTS namespaces (CLONE_NEWUTS)
       UTS  namespaces  provide isolation of two system identifiers: the
       hostname and the NIS domain  name.   These  identifiers  are  set
       using  sethostname(2)  and setdomainname(2), and can be retrieved
       using uname(2), gethostname(2), and getdomainname(2).

       Use of UTS namespaces requires a kernel that is  configured  with
       the CONFIG_UTS_NS option.

CONFORMING TO
       Namespaces are a Linux-specific feature.

EXAMPLE
       See user_namespaces(7).

SEE ALSO
       nsenter(1),    readlink(1),   unshare(1),   clone(2),   setns(2),
       unshare(2), proc(5), credentials(7), capabilities(7),  pid_names‐
       paces(7), user_namespaces(7), switch_root(8)

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Download attachment "namespaces.7" of type "application/x-troff-man" (11328 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ