Playing with Linux namespaces

This post was written by eli on July 16, 2015
Posted Under: Linux,Linux kernel,Virtualization

Intro

Linux namespaces is the foundation for container-based virtualization, which is becoming increasingly popular. Aside from the ability to isolate a shell (and the processes it generates) from the “main environment”, as is required for this kind of lightweight virtualization, namespaces is useful for overriding selected functionalities.

So I’m jotting down things I use myself.

Using an ad-hoc host name

[root@mycomputer eli]# uname -n
mycomputer.localdomain
[root@mycomputer eli]# unshare -u bash
[root@mycomputer eli]# uname -n
mycomputer.localdomain
[root@mycomputer eli]# hostname newname.localdomain
[root@mycomputer eli]# uname -n
newname.localdomain
[root@mycomputer eli]# exit
[root@mycomputer eli]# uname -n
mycomputer.localdomain

Note that unshare started a new bash shell, with a separate namespace. That’s why hostname’s effect ended when pressing CTRL-D and exiting the shell (where it says “exit”).

The truth is, that “unshare [options] bash” and just “unshare [options]” do the same thing — in the absence of a program to execute, unshare kicks off a new shell.

Hiding the network from a program

Some programs have an annoying “feature” of reporting back (hopefully anonymous) information to its vendor’s server. If it has nothing to do on the internet, it can be run from a subshell that can’t possibly see any network interface. Except for loopback, of course. For example,

# unshare -n bash
# ifconfig lo up
# ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I should mention that iptables allows rules per user, and there’s always SELinux for those with strong nerves, so these are alternative solutions. But a network namespace looks much simpler to me.

The loopback interface is absent unless enabled as shown above.

In a more sophisticated version, one can add a tunnel interface to the “real world” and apply iptables rules on the dedicated interface. Note that iptables is local to the new network namespace, so it’s empty. The firewall rules can therefore be written inside the network namespace so the main firewall isn’t touched, or rules can be set up on the main firewall for the tunnel interface in the “real world” network namespace.

Root wannabe

It’s possible to be root without being root:

$ unshare -Ur
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

This is a bluff, of course. The process runs as the original user in reality, but internally, this user is mapped as root. In particular, all files that belong to the original user appear as belonging to root inside this enclosure.

Reader Comments

Hi Eli,
Every newly created network namespace has its loopback device.

>The loopback interface is absent unless enabled as shown >above.

In fedora 23 and older releases, at least, there is no need
for “ifconfig lo up”, see the following sequence:

unshare -n bash

$ifconfig

lo: flags=8 mtu 65536
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Rami Rosen

#1 
Written By Rami Rosen on June 12th, 2016 @ 14:54

Thanks, Rami. I suppose it’s a matter of different versions of unshare.

#2 
Written By eli on June 12th, 2016 @ 15:26

Add a Comment

required, use real name
required, will not be published
optional, your blog address