Hacker News new | past | comments | ask | show | jobs | submit login
Digging into Linux namespaces – part 1 (quarkslab.com)
141 points by pcw888 on Dec 7, 2021 | hide | past | favorite | 10 comments



A good follow on after this would be looking at the source code for bocker. It's a clone of large parts of docker, but in about 100 lines of bash.

You'll see references to nsenter, cgcreate, cgdelete, cgexec, and so on. It's helpful to see how docker is mostly a veneer over things that are already in Linux. Not discounting docker, but a lot of the actual value is in things like Docker Hub and Docker Desktop versus the runtime itself.

https://github.com/p8952/bocker/blob/master/bocker


Absolutely, the "secret sauce" is in the tooling and workflows. Other OSs have great container tech underneath - illumos zones and FreeBSD jails - but without the ease of use and ease of moving around images, they're a lot less useful.


I also recommend this series:

https://lwn.net/Articles/531114/

(links to later parts at the end of the article).

Plus this

https://lwn.net/Articles/604609/

for a related concept (cgroups).



Nicely demonstrated but I actually had to type this in (cut-n-paste) these commands to understand.

Probably could IMHO benefit from some simpler sentences to help most like-minded engineers to bridge the Linux namespace knowledge gap and get there quicker.

THEN again, I am not most like-minded engineers, just a lowly zero-buf network software architect for a layer-5 IPS/IDS system.

At any rate, it’s a great article of HOWTO “get there” due to its actual inner-working and interactivity between network realms being exposed.

Keep it up.


I would also throw this blog post series into the ring: https://www.schutzwerk.com/en/43/posts/linux_container_intro.... It can be quite terse at times, but seeing as it's not overly long it can still serve as good supplemental material.


This article is seriously awesome. I’ve never heard of this firm but I plan on reading their other blog content.


Good article.

I mostly deal with the NET namespace (eg. 100+ VPN WAN source-base router + IDS lol) but I've never read an article that explore other namespaces in detail.


I agree.

Most articles seems to be about VMS. I want to use cgroups and namespace to manange apps I use daily and that can be easily compromised.

Things like, neovim plugins, the terminal (kitty now edits the zshrc) etc.

I am aware of sandbox tools, like firejail. But wish there was more resources on how to manange local apps.


You must be 007 :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: