Linux Container, Namespace & CGroupA simple way to set safe environment for application control

& execution.

By, Neeraj Shrimali

What is a Virtual Machine

• A Virtual Machine is an operating system, that is installed on software which imitates dedicated hardware. • A Specialized SW called as hypervisor emulates the PC’s CPU, Memory, HDD, network and other resources

completely, enabling virtual machine to share the resources.

Linux Application Execution Model

• Every application which runs on linux machine, tend to use some of key resources of OS & HW, including CPU, Memory, HW, priority access.

• By Default, linux take care of this using its own algorithms / logics, Generally RR, FCFS, Equal sharing etc. • If need to provide special access, or to make special provision for certain application, using of which, other application

do not disturb or multiple application can view a consisted & constrained view of OS & from security perspective gets benefits too.

Threats: • An intruder program can access certain utilities of OS, & can corrupt the entire OS & can make trouble for other fellow

applications. • Any malicious application can hog the cpu or other resources, & can make trouble for other applications. • When need for guaranteed resource access for one particular special application, Or need to put limit on using

resources. • Hackathon example

The Solution is Smart ISOLATION. A HIDDEN & SAFE WAY TO SHARE THE OS Among Applications.

Solution

• Namespace It provides processes with their own view of system. • Cgroup It provides grouping of OS resources & putting usage/access limits on that for all processes. • Containers. It can be said as a lightweight VM. An operating system level virtualization method for running multiple isolated systems (Containers) on a single control host. (Container = Namespace + Cgroup + xyz)

Namespace

Process NamespaceWith the introduction of Linux namespaces, it became possible to have multiple “nested” process trees. Each process tree can have an entirely isolated set of processes. This can ensure that processes belonging to one process tree cannot inspect or kill - in fact cannot even know of the existence of - processes in other sibling or parent process trees. With PID namespace isolation, processes in the child namespace have no way of knowing of the parent process’s existence. However, processes in the parent namespace have a complete view of processes in the child namespace, as if they were any other process in the parent namespace.

Namespace

• Network Namespace• Mount Namespace• Other Namespace.. IPC, UTS, User, etc.

• Cross Namespace Communication ~ unshare()

How

• CLONE_NEWIPC: IPC Namespaces: SystemV IPC and POSIX Message Queues can be isolated.• CLONE_NEWPID: PID Namespaces: PIDs are isolated, meaning that a virtual PID inside of the namespace can

conflict with a PID outside of the namespace. PIDs inside the namespace will be mapped to other PIDs outside of the namespace. The first PID inside the namespace will be '1' which outside of the namespace is assigned to init

• CLONE_NEWNET: Network Namespaces: Networking (/proc/net, IPs, interfaces and routes) are isolated. Services can be run on the same ports within namespaces, and "duplicate" virtual interfaces can be created.

• CLONE_NEWNS: Mount Namespaces. We have the ability to isolate mount points as they appear to processes. Using mount namespaces, we can achieve similar functionality to chroot() however with improved security.

• CLONE_NEWUTS: UTS Namespaces. This namespaces primary purpose is to isolate the hostname and NIS name.• CLONE_NEWUSER: User Namespaces. Here, user and group IDs are different inside and outside of namespaces

and can be duplicated.

• pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | SIGCHLD, NULL);

Cgroup (Control Groups)

• It provide a mechanism for easily managing and monitoring system resources, by partitioning things like cpu time, system memory, disk and network bandwidth, into groups, then assigning tasks to those groups.

• When we want guaranteed allocation of needful resources to an application.

Cgroup

• It requires to create group likewise of 80 % CPU, 10GB memory, 80% of Disk RW access, 80 % Network bandwidth.

• Once done, We can assign application to a group, & applications are automatically throttled.

• No reboot required, Happens on the fly. • Application remain uninformed about this limitation.

Cgroup

• Cgroup Installation• Libcgroup installation. • It will create a virtual file system, having all major OS Subsystem.

• Setup: Each cgroup will have 5 files. 1. Task File: Contains PIDs attached to this group. 2. Thread: Same, but use for threads. 3. cgroup.event_control: Use for hooking an event function. Use for get notification. 4. Notify_ON: use for switching on/off notifications. 5. Release_Agent: To do an action when notification happens.

Cgroup

• Usage Example: • echo 5242880 > /cgroup/memory/test1/memory.limit_in_bytes • echo 5242880 > /cgroup/memory/test1/memory.memsw.limit_in_bytes • echo "8:0 5242880" > blkio.throttle.read_bps_device• echo 1234 >/sys/fs/cgroup/my_group/tasks : Attaching process

Container

• Container can be considered as a lightweight VM.• Container is known as a small VM, Where some components are allocated to processes & make as an

individual container.• the main use of Linux Containers is to allow you to run a complete copy of the Linux operating system in a

container (a system container) without the overhead of running a level-2 hypervisor such as VirtualBox. • In fact, the container is sharing the kernel with the host system, so its processes and file system are

completely visible from the host. When you are logged into the container, you only see its file system and process space. Because the kernel is shared, you are limited to the modules and drivers that it has loaded.

• Container relies on Namespace & Cgroup for its handling. • Its easy to deploy, change, update multiple container running on front. • Container can be said as: Cgroup + NameSpace + Interface = Container.

• Docker: Its also same technology, which uses Linux Container (LXc) only with added functionality for easy navigation & deployment.

Container

Container

How

• Lxc-checkconfig : To check for Lxc support check. • lxc-create -t fedora -n fedoraCT: create Fedora Templete Container. • lxc-destroy -n fedoraCT: To remove container. • lxc-start -n fedoraCT: To start container. • lxc-stop -n fedoraCT : To stop container.

References

• Learn more about this at below links. https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaceshttps://sysadmincasts.com/episodes/14-introduction-to-linux-control-groups-cgroupshttps://www.flockport.com/lxc-vs-docker/http://www.linuxjournal.com/content/linux-containers-and-future-cloudhttp://www.slideshare.net/

And The all in one: Google.co.in

The End

Thank You.