Stack Overflow
Stack Overflow

Questions tagged [linux-namespaces]

For questions regarding Linux kernel's namespaces mechanism.

143 questions
6
votes
2 answers

Does Kubernetes POD have namespace and cgroup associated with it?

Docker Containers have cgroups and namespaces associated with them, whether they are running in a pod or vm or host machine. Similarly, does a Kubernetes Pod's have namespaces and cgroups associated with them, or it's just the containers within the…
samshers
  • 1
  • 6
  • 37
  • 84
6
votes
1 answer

unshare user namespace and set uid mapping with newuidmap

I'm trying to gain a better understanding of user namespaces by experimenting with the unshare and newuidmap commands. These are the commands I ran: [root@host ~]$ ls -l /usr/bin/newuidmap -rwsr-xr-x 1 root root 32944 May 16 19:37…
el_tigro
  • 1,099
  • 2
  • 10
  • 22
6
votes
1 answer

Run each Docker container in a specific user namespace configuration

Problem: I am trying to mount a directory as Docker volume in such a way, that a user, which is created inside a container could write into a file in that volume. And at the same time, the file should be at least readable to my user lape outside the…
Luke 10X
  • 1,071
  • 2
  • 14
  • 30
6
votes
2 answers

Share docker socket using user namespaces

is it possible to use docker socket mounted from host inside docker container when using user namespaces? I have following configuration: /etc/subuid user:100000:65536 /etc/subgid user:100000:65536 /etc/docker/daemon.json { …
lbednaszynski
  • 678
  • 2
  • 12
  • 24
6
votes
1 answer

Network namespace and bridging

Helo everyone, i am occasional linux user, but i have a project to do and i need some help with bridging :) I have tried with google, but didn't solve the problem. My task is to create network namespace, so it can be used to perform some other tasks…
miki
  • 380
  • 6
  • 15
6
votes
1 answer

Killing a process from the global scope using its kernel namespace PID

Having some difficulties with Linux kernel namespaces today, specifically correlating PIDs inside of a unique PID namespace to those within the global PID namespace I need to be able to do one of the following: a) Kill a process from the global…
BSchlinker
  • 3,401
  • 11
  • 51
  • 82
5
votes
1 answer

How unshare makes possible to use chroot without real root?

chroot needs CAP_SYS_CHROOT according to the manual. The unshare command uses chroot. The command unshare -UrR newroot/ will work without being run as root, which makes sense since the -r flag makes us root inside the namespace, giving us the…
Vitor Falcão
  • 1,007
  • 1
  • 7
  • 18
5
votes
3 answers

Docker best practices for security

Most of the Dockerfile you will find on Internet build and run softwares as root ! This must scare everybody, right ? ... but it doesn't seems to be the case ... So the pb is that running a server as root, even in a container, IS DANGEROUS, because…
kondor
  • 783
  • 1
  • 8
  • 22
5
votes
1 answer

What is the relation between `task_struct` and `pid_namespace`?

I'm studying some kernel code and trying to understand how the data structures are linked together. I know the basic idea of how a scheduler works, and what a PID is. Yet I have no idea what a namespace is in this context, and can't figure out how…
Ramzi Khahil
  • 4,932
  • 4
  • 35
  • 69
5
votes
2 answers

Mounting proc in non-privileged namespace sandbox

I'm trying to make a sandboxed environment using Linux namespaces. I've found a neat example at https://github.com/swetland/mkbox that roughly does what I want, but I'd like a credible /proc to appear inside the sandbox. How can I do that? I tried…
hanwen
  • 139
  • 6
4
votes
1 answer

Injecting a mount into a disjoint mount namespace behind a private mount propagation?

As part of some work I'm doing on container diagnostics tooling for Linux container systems like docker and containerd/runc, I've been looking for a way to inject or bind a mount from one mount namespace into another disjoint mount…
Craig Ringer
  • 307,061
  • 76
  • 688
  • 778
4
votes
0 answers

unshare network with loopback enabled

To run tests on the development build of my program I need to isolate it from the network. The build still needs access to loopback (127.0.0.1) though. I tried using unshare -c -n but the loopback interface is down by default. Using…
Kitsune
  • 117
  • 5
4
votes
1 answer

Use unshare to start process in existing net namespace?

I want to launch a process using isolated namespaces for PID, UTS, IPC, and NET. However, inside the process, to setup the networking correctly, the network namespace has to be configured on the host with the veth adapters (so that they appear for…
mhaken
  • 1,075
  • 4
  • 14
  • 28
4
votes
1 answer

Linux User NameSpaces

I am experimenting with user namespaces using Go on Linux. The thing that I cannot figure out is that although am setting the uid and gid mappings when creating the namespace it still identifies as the nobody user when I launch the binary using…
Michael Mwangi
  • 51
  • 4
4
votes
1 answer

Docker: Map external to internal user (howto apply '--user', howte execute .bashrc)?

Running a docker image with a command line such as: > docker run -it -v $OutsideDir:$InsideDir -u $(id -u):$(id -g) c0ffeebaba bash I am able to work on my data as the current user on the host from inside the docker container. However, asking…
Frank-Rene Schäfer
  • 3,182
  • 27
  • 51
1
2
3
9 10