Namespace
Namespace is a global resource isolation scheme provided by the Linux kernel. Programs running in a specific namespace think that all resources in the system are exclusive, just like owning an independent physical machine. Processes in different namespace spaces are completely isolated, and processes in one namespace space are completely unaware of the existence of other namespace processes.
Container technology uses the namespace feature of the kernel to realize the complete isolation of processes between different containers.
Catalogue of series articles
Tip: you can add the directories of all articles in the series here. You need to add the directories manually
For example: the first chapter is the use of pandas, an introduction to Python machine learning
Tip: after writing the article, the directory can be generated automatically. For how to generate it, please refer to the help document on the right
preface
Tip: Here you can add the general contents to be recorded in this article:
For example, with the continuous development of artificial intelligence, machine learning technology is becoming more and more important. Many people have started learning machine learning. This paper introduces the basic content of machine learning.
Tip: the following is the main content of this article. The following cases can be used for reference
1, What is pandas?
Example: pandas is a NumPy based tool created to solve data analysis tasks.
2, Use steps
1. Import and storage
The code is as follows (example):
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import warnings
warnings.filterwarnings('ignore')
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
2. Read in data
The code is as follows (example):
data = pd.read_csv(
'https://labfile.oss.aliyuncs.com/courses/1283/adult.data.csv')
print(data.head())
The url used here is the data requested by the network.
summary
Tip: here is a summary of the article:
For example, the above is what we want to talk about today. This paper only briefly introduces the use of pandas, which provides a large number of functions and methods that enable us to process data quickly and conveniently.
Resource isolation
What resources are isolated by the kernel? Here is the list:
Namespace Flag Page Isolates
Cgroup CLONE_NEWCGROUP cgroup_namespaces(7) Cgroup root directory
IPC CLONE_NEWIPC ipc_namespaces(7) System V IPC, POSIX message queues
Network CLONE_NEWNET network_namespaces(7) Network devices, stacks, ports, etc.
Mount CLONE_NEWNS mount_namespaces(7) Mount points
PID CLONE_NEWPID pid_namespaces(7) Process IDs
Time CLONE_NEWTIME time_namespaces(7) Boot and monotonic clocks
User CLONE_NEWUSER user_namespaces(7) T{User and group IDs T}
UTS CLONE_NEWUTS uts_namespaces(7) Hostname and NIS domain name
Column Description:
- The first column is the namespace name;
- The second column is the Flag value used when calling through API;
- The third column corresponds to the man page description;
- The fourth column describes the list of resources isolated by this Namespace
View the process namespace
The namespace attribute information used by each process is saved in the / proc/PID/ns / directory of each process:
hxg@hubuntu:~/github$ sudo ls -l /proc/1/ns/ Total consumption 0 lrwxrwxrwx 1 root root 0 5 November 2:15 cgroup -> 'cgroup:[4026531835]' lrwxrwxrwx 1 root root 0 5 November 2:15 ipc -> 'ipc:[4026531839]' lrwxrwxrwx 1 root root 0 5 November 2:15 mnt -> 'mnt:[4026531840]' lrwxrwxrwx 1 root root 0 5 November 2:15 net -> 'net:[4026531992]' lrwxrwxrwx 1 root root 0 5 November 2:15 pid -> 'pid:[4026531836]' lrwxrwxrwx 1 root root 0 5 November 2:15 pid_for_children -> 'pid:[4026531836]' lrwxrwxrwx 1 root root 0 5 November 2:15 time -> 'time:[4026531834]' lrwxrwxrwx 1 root root 0 5 November 2:15 time_for_children -> 'time:[4026531834]' lrwxrwxrwx 1 root root 0 5 November 2:15 user -> 'user:[4026531837]' lrwxrwxrwx 1 root root 0 5 November 2:15 uts -> 'uts:[4026531838]'
The last column is represented by deviceid: inodeNumber. If different processes have the same inodeNumber pointed to by their namespace resources, it proves that the two processes belong to the same namespace.
Maximum number of namespace s supported by the system
/Max in proc/sys/user / directory_ XXX_ The namespaces file records the number of supported namespaces of XXX type. The list is as follows:
hxg@hubuntu:~/github$ sudo ls /proc/sys/user/ max_cgroup_namespaces max_ipc_namespaces max_pid_namespaces max_uts_namespaces max_inotify_instances max_mnt_namespaces max_time_namespaces max_inotify_watches max_net_namespaces max_user_namespaces
The number of PID namespace s supported is 23074:
hxg@hubuntu:~/github$ sudo cat /proc/sys/user/max_pid_namespaces 23074
Operational network namespace
command
The purpose of this series of articles is to clarify the virtualization network, so we will focus on the network namespace.
The system provides the ip netns command to operate the network namespace. The functions are as follows:
[root@worker2 ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
View namespace
By default, there is no network namespace in the system. In order to verify the function, we need to create it manually.
The following command is used to create the network namespace nst1:
[root@worker2 ~]# ip netns add nst1
The created namespace file is located in the / var/run/netns / Directory:
[root@worker2 ~]# ls /var/run/netns nst1
Next, let's look at the network configuration in the nst1 namespace. The empty namespace has only lo devices, which really looks like an independent physical machine:
[root@worker2 ~]# ip netns exec nst1 ifconfig lo up
[root@worker2 ~]# ip netns exec nst1 ifconfig -a
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
...
reference resources
- https://man7.org/linux/man-pages/man7/namespaces.7.html