Playing with Linux namespaces
Intro
Linux namespaces is the foundation for container-based virtualization, which is becoming increasingly popular. Aside from the ability to isolate a shell (and the processes it generates) from the “main environment”, as is required for this kind of lightweight virtualization, namespaces is useful for overriding selected functionalities.
So I’m jotting down things I use myself.
Using an ad-hoc host name
[root@mycomputer eli]# uname -n mycomputer.localdomain [root@mycomputer eli]# unshare -u bash [root@mycomputer eli]# uname -n mycomputer.localdomain [root@mycomputer eli]# hostname newname.localdomain [root@mycomputer eli]# uname -n newname.localdomain [root@mycomputer eli]# exit [root@mycomputer eli]# uname -n mycomputer.localdomain
Note that unshare started a new bash shell, with a separate namespace. That’s why hostname’s effect ended when pressing CTRL-D and exiting the shell (where it says “exit”).
The truth is, that “unshare [options] bash” and just “unshare [options]” do the same thing — in the absence of a program to execute, unshare kicks off a new shell.
Hiding the network from a program
Some programs have an annoying “feature” of reporting back (hopefully anonymous) information to its vendor’s server. If it has nothing to do on the internet, it can be run from a subshell that can’t possibly see any network interface. Except for loopback, of course. For example,
# unshare -n bash
# ifconfig lo up
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
I should mention that iptables allows rules per user, and there’s always SELinux for those with strong nerves, so these are alternative solutions. But a network namespace looks much simpler to me.
The loopback interface is absent unless enabled as shown above.
In a more sophisticated version, one can add a tunnel interface to the “real world” and apply iptables rules on the dedicated interface. Note that iptables is local to the new network namespace, so it’s empty. The firewall rules can therefore be written inside the network namespace so the main firewall isn’t touched, or rules can be set up on the main firewall for the tunnel interface in the “real world” network namespace.
Root wannabe
It’s possible to be root without being root:
$ unshare -Ur # whoami root # id uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
This is a bluff, of course. The process runs as the original user in reality, but internally, this user is mapped as root. In particular, all files that belong to the original user appear as belonging to root inside this enclosure.
Reader Comments
Hi Eli,
Every newly created network namespace has its loopback device.
>The loopback interface is absent unless enabled as shown >above.
In fedora 23 and older releases, at least, there is no need
for “ifconfig lo up”, see the following sequence:
unshare -n bash
$ifconfig
lo: flags=8 mtu 65536
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Rami Rosen
Thanks, Rami. I suppose it’s a matter of different versions of unshare.