Namespace :
Docker uses a technology called namespaces to provide the isolated work space called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
Docker Engine uses namespaces such as the following on Linux:
- The pid namespace: Process isolation (PID: Process ID).
- The net namespace: Managing network interfaces (NET: Networking).
- The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication).
- The mnt namespace: Managing filesystem mount points (MNT: Mount).
- The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System).
Let see tool called nsenter which helps in accessing the container. nsenter is a small tool allowing to enter into namespaces. Technically, it can enter existing namespaces, or spawn a process into a new set of namespaces.
Let’s try nsenter, starting with the installation of this tool.
nsenter
The nsenter tool is part of the util-linux package since version 2.23. It provides access to the namespace of another process. nsenter requires root privileges to work properly. Unfortunately, util-linux is still at version 2.20 in Ubuntu 14.04. To install the latest version (2.24) proceed as follows:
# cd /tmp # curl https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz | tar -zxf- # cd util-linux-2.24 # ./configure --without-ncurses # make nsenter # cp nsenter /usr/local/bin
Or To run as a container,
# docker run -v /usr/local/bin:/target jpetazzo/nsenter
Let us find what containers are running currently:
# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
For now, there is no running containers, Let’s start containers and see around
# docker run -it c16fe938c1a5 /bin/bash root@dbc6276a3fb6:/src#
Press Ctrl P + Q to come out of the shell without stopping the container.
Verify that the container is running now:
# docker ps
Run the below command to fetch the PID for the container
# docker inspect -f '{{ .State.Pid }}' 841a00f6a396
Make sure the value is saved correctly using following command,
# echo $PID 18441
Finally run the nsenter utility on the host machine to access the namespace:
# nsenter –target $PID –mount –uts –ipc –net –pid root@841a00f6a396:/#
nsenter
does not drop capabilities; so the shell started by nsenter
can do more stuff (and more harm!) than a normal process running within the container.
nsinit
Since version 0.9 Docker offers its own library for managing containers called libcontainer. The tool nsinit of the libcontainer allows the user direct access to the linux namespace and cgroup** kernel features. Before you can install nsinit you have to install the Go runtime environment:
# apt-get install git golang-go # mkdir -p $HOME/go-dev/bin # mkdir -p $HOME/go-dev/src # echo "export GOPATH=\$HOME/go-dev" >> ~/.profile # echo "PATH=\$PATH:\$GOPATH/bin" >> ~/.profile # source ~/.profile
In a second step, you install nsinit:
# mkdir -p $GOPATH/src/github.com/dotcloud # cd $GOPATH/src/github.com/dotcloud # git clone https://github.com/dotcloud/docker.git # cd $GOPATH/src/github.com/dotcloud/docker
nsinit reads the configuration data from the container directory located in /var/lib/docker/execdriver/native/<container-id>. In order to use nsinit you have to change into that container directory. This requires root privileges because the directory /var/lib/docker is only readable for root. The container id can be determined with the docker ps command. Once you stepped into the directory you can connect to the container:
# nsinit exec /bin/bash
**cgroups(Control Group): A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. For example, you can limit the memory available to a specific container.