Embedded Files
Introduction
Laymen explanation
If you have experience of creating docker instance(container), you will be aware that you can run multiple containers in same linux machine. Unfortunately, if any container is virus infected, what will happen to other containers? Will it infect other containers? Will it infect hosts? Ideally, it should not and you are right. Docker technology ensures isolation among containers.
Technical explanation
In a single-user computer, a single system environment may be fine. But on a server, where you want to run multiple services, it is essential to security and stability that the services are as isolated from each other as possible. Imagine a server running multiple services, one of which gets compromised by an intruder. In such a case, the intruder may be able to exploit that service and work his way to the other services, and may even be able compromise the entire server. Namespace isolation can provide a secure environment to eliminate this risk.
Isolation types
Isolation types
Process level isolation
Processes running in a container should not interfere other container's processes
Network Isolation
Each container should have isolated network in terms of interfaces, route table, firewall policies.
Mount point isolations
Each container should have separate mount points and should not be accessible/visible to other containers
Resource usage restriction
Host CPU is shared by containers. This should be fair among containers. It means that a container should not over-use CPU causing perf degradation to other containers. This requirement is applicable for other shared resources as well(Memory, Disk I/O, network).
How linux namespace feature helps in container isolation
How linux namespace feature helps in container isolation
ipc namespace
Isolation for IPC
mnt namespace
Isolation for Mount
net namespace
Insolation for network
pid namespace
Process level isolation
user namespace
User level isolation
uts namespace
hostname specific isolation
Ref: https://windsock.io/uts-namespace/
https://en.wikipedia.org/wiki/Linux_namespaces#Mount_(mnt)
Example of namespaces from a process inside container
root@ubuntu:~# readlink /proc/20133/task/*/ns/* | sort -u
cgroup:[4026531835]
ipc:[4026532421]
mnt:[4026532419]
net:[4026532424]
pid:[4026532422]
user:[4026531837]
uts:[4026532420]
Controlling resource sharing using Cgroups
Controlling resource sharing using Cgroups
https://docs.docker.com/engine/admin/resource_constraints/#--memory-swappiness-details
Where else linux namespace is being used
Recently, there has been a growing number of programming contest and “hackathon” platforms, such as HackerRank, TopCoder, Codeforces, and many more. A lot of them utilize automated pipelines to run and validate programs that are submitted by the contestants. It is often impossible to know in advance the true nature of contestants’ programs, and some may even contain malicious elements. By running these programs namespaced in complete isolation from the rest of the system, the software can be tested and validated without putting the rest of the machine at risk. Similarly, online continuous integration services, such as Drone.io, automatically fetch your code repository and execute the test scripts on their own servers. Again, namespace isolation is what makes it possible to provide these services safely.
Reference
https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces
http://man7.org/linux/man-pages/man7/namespaces.7.html
https://www.youtube.com/watch?v=UywECF0h3eg&index=6&list=PLkA60AVN3hh-2UPoaft7u7ofKW2mLoAWB
Page updated
Google Sites
Report abuse