1. Assignment -3
Namespace Attachment feature for LXC
Darshan Parmar 2014H112179P
Ankur Vashishtha 2014H112180P
1. Introduction:
Namespace Attachment feature offers facility to attach namespaces to the currently running
process. It is an important feature which is helpful to attach any namespace like network, UTS
and achieves de-isolation. However due to security concerns this feature should be used with
utmost care.
2. Specification of Namespace Attachment feature:
Namespace:
A namespace wraps a global system resource in an abstraction that makes it appear to the
processes within the namespace that they have their own isolated instance of the global
resource. Changes to the global resource are visible to other processes that are members of the
namespace, but are invisible to other processes. Linux Containers are built using namespaces.
Linux provides the following namespaces:
Namespace Isolates
1. IPC System V IPC, POSIX message queues
2. Network Network devices, stacks, ports, etc
3. Mount Mount points
4. PID Process IDs
5. User User and group IDs
6. UTS Hostname and NIS domain name
Namespace Attachment Specification
Namespace Attachment feature provides the facility of attaching namespaces to already
running ones using the setns () call in addition to creating new namespaces.
Each process exposes its namespaces via the /proc/<PROCESS_ID>/ns directory. The setns ()
system call uses the file descriptors obtained from the files in that directory to attach to
namespaces.
It provides de-isolation of namespaces of Linux containers
Sharing resources among containers is easier
Efficient storage
Wastage of Resources can be minimized
2. Use-Cases of Namespace Attachment feature
1. When security (and therefore a complete isolation) is not needed.
2. At early stages of system deployment, where no external access to the system is enabled yet.
3. When the breaking the isolation is the best way to attain something, and the security impact
of the step away from isolation is carefully reviewed and approved.
4. In development/testing.
Notes:
Security needs to be through when using this mode. If container is "infected", but not the host,
then using such trick may open up a door to infect the host as well so there should be warnings
that using this tool is de-isolating container from host whether it is appropriate or not is up to
sysadmin to decide.
3. Design Notes
Features to manage namespaces for containers are provided by Dived Utility Library
https://github.com/vi/dive. We have used namespace functionality of this library by stripping
down the remaining part of library and integrated it with the LXC container.
1. Selection of the feature
Our aim was to find a feature which is not currently provided by LXC Container. Namespace
attachment is an important feature which provides de-isolation between host and container.
2. Stripping Down Dived Library
Dived/Dive library works on the client server model. The architecture of the library is as:
Figure1. Dive library architecture
We went with the attachns feature and worked with the dived module only while remaining part
of the library was stripped.
3. 3. Integration of NMT library with LXC Container
1. Copy all .c files form divens folder to <LXC_HOME>/src/lxc
2. Edit LXC/src/lxc/MakeFile.am to make necessary changes like adding extra feature of lxc-
attachns
Add lxc-attachns to bin_programs
Add dived.c safer.c and recv_fd.c to lxc_source
3. Re-compile source code using below commands
autogen.sh
./configure
make
make install ( which in turn install our new feature )
Figure2. Architecture of lxc container with namespace feature
4. 4. Execution/Testing steps:
1. Create an LXC Container say alice1 with Ubuntu template
2. Make necessary changes into configuration file if required (e.g. changing apparmor security)
3. Start LXC Container by executing following command which will start/boot container
4. Go to container console by executing following command
5. Login into container with username: ubuntu and password: ubuntu
6. Go to root of container by sudo su
7. Start any process in container say cat >qwerty
8. Find out the process id of the current running shell inside container ,since container process
id space and host process id space are different, we need to find the mapping between container
process-id and host process-id
9. Execute the following command in host system to find mapping between process id of host
and container and find out process id associated with shell of cat process.
10. Find out namespace which you want to associate with the current process.
[Namespaces of container process here 1751 is process
id of shell running on container with respect to the host
process id space]
[Namespaces associate with host]
lxc-create -t ubuntu -n alice1
lxc-start -n alice1
lxc-console -n alice1
lsof -n | grep qwerty
ps aux -H | grep -B 4 2456
ls -l /proc/1751/ns/
ls -l /proc/self/ns/
5. 11. Select whatever container namespaces you want to assign with current Linux terminal (e.g.
here I am attaching IPC, Network and UTS namespace to current terminal)
12. Check the terminal and verify that particular namespaces have been attached to currently
running terminal.
5. Future work
Namespace attachment can be done at higher level by providing just name of the
namespace rather than searching through the process mapping between host and
container.
Other related features of Dived can be integrated.
6. References
1. https://github.com/vi/dive/
2. http://www.linuxjournal.com/content/linux-containers-and-future-cloud
3. https://linuxcontainers.org/lxc/articles/
4. https://github.com/lxc/lxc
lxc-attachns -N /proc/5777/ns/ipc -N /proc/5777/ns/net -N /proc/5777/ns/uts --
/bin/bash