SlideShare a Scribd company logo

LXC NSAttach

Darshan Parmar
Darshan Parmar
1 of 5
Download to read offline
Assignment -3 Namespace Attachment feature for LXC Darshan Parmar 2014H112179P Ankur Vashishtha 2014H112180P 1. Introduction: Namespace Attachment feature offers facility to attach namespaces to the currently running process. It is an important feature which is helpful to attach any namespace like network, UTS and achieves de-isolation. However due to security concerns this feature should be used with utmost care. 2. Specification of Namespace Attachment feature: Namespace: A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Linux Containers are built using namespaces. Linux provides the following namespaces: Namespace Isolates 1. IPC System V IPC, POSIX message queues 2. Network Network devices, stacks, ports, etc 3. Mount Mount points 4. PID Process IDs 5. User User and group IDs 6. UTS Hostname and NIS domain name Namespace Attachment Specification  Namespace Attachment feature provides the facility of attaching namespaces to already running ones using the setns () call in addition to creating new namespaces.  Each process exposes its namespaces via the /proc/<PROCESS_ID>/ns directory. The setns () system call uses the file descriptors obtained from the files in that directory to attach to namespaces.  It provides de-isolation of namespaces of Linux containers  Sharing resources among containers is easier  Efficient storage  Wastage of Resources can be minimized
Use-Cases of Namespace Attachment feature 1. When security (and therefore a complete isolation) is not needed. 2. At early stages of system deployment, where no external access to the system is enabled yet. 3. When the breaking the isolation is the best way to attain something, and the security impact of the step away from isolation is carefully reviewed and approved. 4. In development/testing. Notes: Security needs to be through when using this mode. If container is "infected", but not the host, then using such trick may open up a door to infect the host as well so there should be warnings that using this tool is de-isolating container from host whether it is appropriate or not is up to sysadmin to decide. 3. Design Notes Features to manage namespaces for containers are provided by Dived Utility Library https://github.com/vi/dive. We have used namespace functionality of this library by stripping down the remaining part of library and integrated it with the LXC container. 1. Selection of the feature Our aim was to find a feature which is not currently provided by LXC Container. Namespace attachment is an important feature which provides de-isolation between host and container. 2. Stripping Down Dived Library Dived/Dive library works on the client server model. The architecture of the library is as: Figure1. Dive library architecture We went with the attachns feature and worked with the dived module only while remaining part of the library was stripped.
3. Integration of NMT library with LXC Container 1. Copy all .c files form divens folder to <LXC_HOME>/src/lxc 2. Edit LXC/src/lxc/MakeFile.am to make necessary changes like adding extra feature of lxc- attachns  Add lxc-attachns to bin_programs  Add dived.c safer.c and recv_fd.c to lxc_source 3. Re-compile source code using below commands  autogen.sh  ./configure  make  make install ( which in turn install our new feature ) Figure2. Architecture of lxc container with namespace feature
4. Execution/Testing steps: 1. Create an LXC Container say alice1 with Ubuntu template 2. Make necessary changes into configuration file if required (e.g. changing apparmor security) 3. Start LXC Container by executing following command which will start/boot container 4. Go to container console by executing following command 5. Login into container with username: ubuntu and password: ubuntu 6. Go to root of container by sudo su 7. Start any process in container say cat >qwerty 8. Find out the process id of the current running shell inside container ,since container process id space and host process id space are different, we need to find the mapping between container process-id and host process-id 9. Execute the following command in host system to find mapping between process id of host and container and find out process id associated with shell of cat process. 10. Find out namespace which you want to associate with the current process. [Namespaces of container process here 1751 is process id of shell running on container with respect to the host process id space] [Namespaces associate with host] lxc-create -t ubuntu -n alice1 lxc-start -n alice1 lxc-console -n alice1 lsof -n | grep qwerty ps aux -H | grep -B 4 2456 ls -l /proc/1751/ns/ ls -l /proc/self/ns/
11. Select whatever container namespaces you want to assign with current Linux terminal (e.g. here I am attaching IPC, Network and UTS namespace to current terminal) 12. Check the terminal and verify that particular namespaces have been attached to currently running terminal. 5. Future work  Namespace attachment can be done at higher level by providing just name of the namespace rather than searching through the process mapping between host and container.  Other related features of Dived can be integrated. 6. References 1. https://github.com/vi/dive/ 2. http://www.linuxjournal.com/content/linux-containers-and-future-cloud 3. https://linuxcontainers.org/lxc/articles/ 4. https://github.com/lxc/lxc lxc-attachns -N /proc/5777/ns/ipc -N /proc/5777/ns/net -N /proc/5777/ns/uts -- /bin/bash

Recommended

dotCloud (now Docker) Paas under the_hood
dotCloud (now Docker) Paas under the_hood dotCloud (now Docker) Paas under the_hood
dotCloud (now Docker) Paas under the_hood Susan Wu
 
The building blocks of docker.
The building blocks of docker.The building blocks of docker.
The building blocks of docker.Chafik Belhaoues
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containersMihir Shah
 
Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)johny shaik
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersVenkat Raman
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 

Recommended

dotCloud (now Docker) Paas under the_hood
dotCloud (now Docker) Paas under the_hood dotCloud (now Docker) Paas under the_hood
dotCloud (now Docker) Paas under the_hood Susan Wu
 
The building blocks of docker.
The building blocks of docker.The building blocks of docker.
The building blocks of docker.Chafik Belhaoues
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containersMihir Shah
 
Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)johny shaik
 
Isolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersIsolating an applications using LXC – Linux Containers
Isolating an applications using LXC – Linux ContainersVenkat Raman
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containersGoogle
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker Security
Docker SecurityDocker Security
Docker SecurityBladE0341
 
Docker
Docker Docker
Docker Mindstorm Studios
 
Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resourcesMohammadreza Amini
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network ViewNeuVector
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Etsuji Nakai
 
Forensic basics of Docker and Malware
Forensic basics of Docker and MalwareForensic basics of Docker and Malware
Forensic basics of Docker and MalwareIsha Chauhan
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Featuresguest491c69
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015Leonid Mirsky
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleMajor Hayden
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Docker 101 2015-05-28
Docker 101 2015-05-28Docker 101 2015-05-28
Docker 101 2015-05-28Adrian Otto
 
Open stack implementation
Open stack implementation Open stack implementation
Open stack implementation Soumyajit Basu
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCPhil Estes
 
From Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOneFrom Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOneCarlos Sanchez
 
Woc15
Woc15Woc15
Woc15tych0
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureAdrian Otto
 
Hack the whale
Hack the whaleHack the whale
Hack the whaleMarco Ferrigno
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 

More Related Content

What's hot

Docker Security
Docker SecurityDocker Security
Docker SecurityBladE0341
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network ViewNeuVector
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Etsuji Nakai
 
Forensic basics of Docker and Malware
Forensic basics of Docker and MalwareForensic basics of Docker and Malware
Forensic basics of Docker and MalwareIsha Chauhan
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Featuresguest491c69
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015Leonid Mirsky
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleMajor Hayden
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Docker 101 2015-05-28
Docker 101 2015-05-28Docker 101 2015-05-28
Docker 101 2015-05-28Adrian Otto
 
Open stack implementation
Open stack implementation Open stack implementation
Open stack implementation Soumyajit Basu
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCPhil Estes
 
From Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOneFrom Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOneCarlos Sanchez
 
Woc15
Woc15Woc15
Woc15tych0
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureAdrian Otto
 

What's hot (20)

Docker Security
Docker SecurityDocker Security
Docker Security
 
Docker
Docker Docker
Docker
 
Docker allocating resources
Docker allocating resourcesDocker allocating resources
Docker allocating resources
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7
 
Forensic basics of Docker and Malware
Forensic basics of Docker and MalwareForensic basics of Docker and Malware
Forensic basics of Docker and Malware
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Features
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
 
Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Docker 101 2015-05-28
Docker 101 2015-05-28Docker 101 2015-05-28
Docker 101 2015-05-28
 
Open stack implementation
Open stack implementation Open stack implementation
Open stack implementation
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
 
From Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOneFrom Monolith to Docker Distributed Applications. JavaOne
From Monolith to Docker Distributed Applications. JavaOne
 
Woc15
Woc15Woc15
Woc15
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable Infrastructure
 

Similar to LXC NSAttach

Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetesKrishna-Kumar
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsAnthony Chow
 
Kubernetes Immersion
Kubernetes ImmersionKubernetes Immersion
Kubernetes ImmersionJuan Larriba
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...All Things Open
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Patrick Chanezon
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Filipe Miranda
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetesElad Hirsch
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Henryk Konsek
 

Similar to LXC NSAttach (20)

Hack the whale
Hack the whaleHack the whale
Hack the whale
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
paper
paperpaper
paper
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
 
Kubernetes Immersion
Kubernetes ImmersionKubernetes Immersion
Kubernetes Immersion
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.
 

LXC NSAttach

  • 1. Assignment -3 Namespace Attachment feature for LXC Darshan Parmar 2014H112179P Ankur Vashishtha 2014H112180P 1. Introduction: Namespace Attachment feature offers facility to attach namespaces to the currently running process. It is an important feature which is helpful to attach any namespace like network, UTS and achieves de-isolation. However due to security concerns this feature should be used with utmost care. 2. Specification of Namespace Attachment feature: Namespace: A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Linux Containers are built using namespaces. Linux provides the following namespaces: Namespace Isolates 1. IPC System V IPC, POSIX message queues 2. Network Network devices, stacks, ports, etc 3. Mount Mount points 4. PID Process IDs 5. User User and group IDs 6. UTS Hostname and NIS domain name Namespace Attachment Specification  Namespace Attachment feature provides the facility of attaching namespaces to already running ones using the setns () call in addition to creating new namespaces.  Each process exposes its namespaces via the /proc/<PROCESS_ID>/ns directory. The setns () system call uses the file descriptors obtained from the files in that directory to attach to namespaces.  It provides de-isolation of namespaces of Linux containers  Sharing resources among containers is easier  Efficient storage  Wastage of Resources can be minimized
  • 2. Use-Cases of Namespace Attachment feature 1. When security (and therefore a complete isolation) is not needed. 2. At early stages of system deployment, where no external access to the system is enabled yet. 3. When the breaking the isolation is the best way to attain something, and the security impact of the step away from isolation is carefully reviewed and approved. 4. In development/testing. Notes: Security needs to be through when using this mode. If container is "infected", but not the host, then using such trick may open up a door to infect the host as well so there should be warnings that using this tool is de-isolating container from host whether it is appropriate or not is up to sysadmin to decide. 3. Design Notes Features to manage namespaces for containers are provided by Dived Utility Library https://github.com/vi/dive. We have used namespace functionality of this library by stripping down the remaining part of library and integrated it with the LXC container. 1. Selection of the feature Our aim was to find a feature which is not currently provided by LXC Container. Namespace attachment is an important feature which provides de-isolation between host and container. 2. Stripping Down Dived Library Dived/Dive library works on the client server model. The architecture of the library is as: Figure1. Dive library architecture We went with the attachns feature and worked with the dived module only while remaining part of the library was stripped.
  • 3. 3. Integration of NMT library with LXC Container 1. Copy all .c files form divens folder to <LXC_HOME>/src/lxc 2. Edit LXC/src/lxc/MakeFile.am to make necessary changes like adding extra feature of lxc- attachns  Add lxc-attachns to bin_programs  Add dived.c safer.c and recv_fd.c to lxc_source 3. Re-compile source code using below commands  autogen.sh  ./configure  make  make install ( which in turn install our new feature ) Figure2. Architecture of lxc container with namespace feature
  • 4. 4. Execution/Testing steps: 1. Create an LXC Container say alice1 with Ubuntu template 2. Make necessary changes into configuration file if required (e.g. changing apparmor security) 3. Start LXC Container by executing following command which will start/boot container 4. Go to container console by executing following command 5. Login into container with username: ubuntu and password: ubuntu 6. Go to root of container by sudo su 7. Start any process in container say cat >qwerty 8. Find out the process id of the current running shell inside container ,since container process id space and host process id space are different, we need to find the mapping between container process-id and host process-id 9. Execute the following command in host system to find mapping between process id of host and container and find out process id associated with shell of cat process. 10. Find out namespace which you want to associate with the current process. [Namespaces of container process here 1751 is process id of shell running on container with respect to the host process id space] [Namespaces associate with host] lxc-create -t ubuntu -n alice1 lxc-start -n alice1 lxc-console -n alice1 lsof -n | grep qwerty ps aux -H | grep -B 4 2456 ls -l /proc/1751/ns/ ls -l /proc/self/ns/
  • 5. 11. Select whatever container namespaces you want to assign with current Linux terminal (e.g. here I am attaching IPC, Network and UTS namespace to current terminal) 12. Check the terminal and verify that particular namespaces have been attached to currently running terminal. 5. Future work  Namespace attachment can be done at higher level by providing just name of the namespace rather than searching through the process mapping between host and container.  Other related features of Dived can be integrated. 6. References 1. https://github.com/vi/dive/ 2. http://www.linuxjournal.com/content/linux-containers-and-future-cloud 3. https://linuxcontainers.org/lxc/articles/ 4. https://github.com/lxc/lxc lxc-attachns -N /proc/5777/ns/ipc -N /proc/5777/ns/net -N /proc/5777/ns/uts -- /bin/bash