Linux 容器相关的2个重要概念

最新推荐文章于 2023-12-20 14:37:01 发布

tycoon1988

最新推荐文章于 2023-12-20 14:37:01 发布

阅读量760

点赞数

分类专栏： linux开发新手开发linux

本文链接：https://blog.csdn.net/tycoon1988/article/details/39054105

版权

linux开发同时被 2 个专栏收录

107 篇文章 0 订阅

订阅专栏

新手开发linux

79 篇文章 0 订阅

订阅专栏

http://www.cnblogs.com/wang_yb/p/3923040.html

Linux资源控制-CPU和内存

http://www.cnblogs.com/wang_yb/p/3942208.html

LXC CPU资源隔离与动态调整测试

http://blog.sina.com.cn/s/blog_999d1f4c0101ea53.html

LXC 通过利用内核的CGroup来提供用户空间的对象，用来保证资源的隔离和对于应用或者系统的资源控制，通过namespaces提供资源隔离。

LXC是一种不同于KVM的另类的虚拟化实现方案，容器有效地将由单个OS管理的资源（计算，存储，网络）划分到孤立的组中，与传统的虚拟化相比，这样不需要指令级模拟。避免了虚拟化中系统调用替换中的复杂性。容器是下列两个技术的结合，在chroot的基础上，使用namespace增强chroot环境的隔离性，使之成为有效的容器：

1）chroot,在linux系统中，根目录就是”/”，但使用chroot可以用任意指定的目录作根目录

2）namespace, 相当于单独的TCP/IP进程，用于网络资源的隔离

通过提供一种创建(创建容器就是将一个名称与一个配置文件关联，lxc-create-n name -f configfile)和进入容器的方式（ssh,VNC (GUI), VT: tty (text),VT:X(GUI)，操作系统让应用就像在独立的机器上运行一样，但又能共享很多底层的资源。LXC配置文件的例子如下：

lxc.utsname = my_ssh_container
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 10.0.2.16/24
lxc.network.name = eth0
lxc.mount = ./fstab
lxc.rootfs = ./rootfs

无论配置文件如何，用LXC工具启动的容器有自己的系统进程视图，以及自己的挂载树和可用的进程间通信（IPC）资源视图。除了这些以外，当一个容器启动时，配置中未提到的任何类型的资源都被认为是与主机共享。

I am using following C function to create multiple network namespaces from a single process instance:

void create_namespace(const char *ns_name)
{
    char ns_path[100];

    snprintf(ns_path, 100, "%s/%s", "/var/run/netns", ns_name);
    close(open(ns_path, O_RDONLY|O_CREAT|O_EXCL, 0));
    unshare(CLONE_NEWNET);
    mount("/proc/self/ns/net", ns_path, "none", MS_BIND , NULL);
}

After my process creates all the namspaces and I add a tap interface to any of the one network namespace (with ip link set tap1 netns ns1 command), then I actually see this interface in all of the namespaces (presumably, this is actually a single namespace that goes under different names).

But, if I create multiple namespaces by using multiple processes, then everything is working just fine.

What could be wrong here? Do I have to pass any additional flags to the unshare() to get this working from a single process instance? Is there a limitation that a single process instance can't create multiple network namespaces? Or is there a problem with mount() call, because /proc/self/ns/net is actually mounted multiple times?

Update: It seems that unshare() function creates multiple network namespaces correctly, but all the mount points in /var/run/netns/ actually reference to the first network namespace that was mounted in that direcotry.

Update2: It seems that the best approach is to fork() another process and execute create_namespace() function from there. Anyway, I would be glad to hear a better solution that does not involve fork() call or at least get a confirmation that would prove that it is impossible to create and manage multiple network namespaces from a single process.

Update3: I am able to create multiple namespaces with unshare() by using the following code:

int  main() {
    create_namespace("a");
    system("ip tuntap add mode tap tapa");
    system("ifconfig -a");//shows lo and tapA interface
    create_namespace("b");
    system("ip tuntap add mode tap tapb");
    system("ifconfig -a");//show lo and tapB interface, but does not show tapA. So this is second namespace created.
}

But after the process terminates and I execute ip netns exec a ifconfig -a and ip netns exec b ifconfig -a it seems that both commands were suddenly executed in namespace a. So the actual problem is storing the references to the namespaces (or calling mount() the right way. But I am not sure, if this is possible).