Namespace in linux kernel

Namespace in linux kernel смотреть последние обновления за сегодня на .

Containers: cgroups, Linux kernel namespaces, ufs, Docker, and intro to Kubernetes pods

54384
997
25
00:04:28
28.09.2017

Sean Wingert explains Containers: cgroups, Linux kernel namespaces, ufs, Docker, and intro to Kubernetes pods, PIDs, cgroup hierarchy, and some basics for Kubernetes pods.

What's in a Name? - Linux Namespaces

9663
317
12
00:21:13
24.08.2020

In this episode of the CyberGizmo we explore namespaces for Linux, Docker Containers and LXC. I will be discussing the 8 namespaces for Linux (as of kernel version 5.6) Support me on Patreon: 🤍 Follow me: Twitter 🤍djware55 Facebook:🤍 Discord: 🤍 Music Used in this video "NonStop" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0 License

How Docker Works - Intro to Namespaces

125063
5350
183
00:12:56
21.02.2020

Let's figure out how Docker works! We will investigate docker by tracing the syscalls to find the Linux Kernel feature called Namespaces. We also learn about the different ones like process id, network or mount namespaces. docker → dockerd → containerd → runC → unshare syscall Part 1: 🤍 LWN Article: 🤍 Docker Example: 🤍 -=[ ❤️ Support ]=- → per Video: 🤍 → per Month: 🤍 -=[ 🐕 Social ]=- → Twitter: 🤍 → Website: 🤍 → Subreddit: 🤍 → Facebook: 🤍

Linux/docker containers namespaces explained

1747
44
2
01:33:29
02.09.2021

We can understand on how docker creates containers using Linux features like namespaces and cgroups etc., to build a container for docker to run application. 1) PID namespace 2) Network namespace 3) Mount(mnt) namespace 4) UTS namespace 5) IPC namespace 6) User namespace References: 🤍

Linux Container Primitives: cgroups, namespaces, and more!

22538
714
30
00:34:27
08.05.2020

Samuel Karp Amazon Web Services In this session, we’ll explore the different Linux primitives that are commonly used in implementing container runtimes. We’ll learn about the Linux primitives that underlie container runtimes like Docker, including cgroups, namespaces, and union filesystems. We’ll see how Docker uses these primitives, and how the OCI standard makes it possible to customize how your containers run. We’ll also discuss alternative container runtimes like CRI-O, rkt, and systemd-nspawn and what makes them different. This will be an interactive session with a live demo and open questions.

Containers unplugged: Linux namespaces - Michael Kerrisk

13280
355
19
00:53:39
19.09.2019

Linux namespaces are a resource isolation technique. Each namespace type wraps some global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of that resource, when in fact there are multiple instances of the resource, with each instance private to a particular group of process. Namespaces are key building blocks for a number of interesting technologiesmost notably containers, but also a range of other interesting applications such as Flatpak and Firejail. In this presentation we'll look at various Linux namespace typesincluding UTS, mount, network, and PID namespacesin order to understand what resources they govern and what use cases they serve. Along the way, we should have time for a live demo or two, so as to make the "theory" more concrete. Save the date for NDC TechTown 2020 (31st of August - 3rd of September) Check out more of our talks at: 🤍 🤍

A mechanism to isolate CPU topology information in the Linux kernel -- CPU Namespace

624
22
00:31:32
16.01.2022

(Pratik Rajesh Sampat, Gautham R. Shenoy) The CPU namespace aims to extend the current pool of namespaces in the kernel to isolate the system topology view from applications. The CPU namespace virtualizes the CPU information by maintaining an internal translation from the namespace CPU to the logical CPU in the kernel. The CPU namespace will also enable the existing interfaces interfaces like sys/proc, cgroupfs and sched_set(/get)affinity syscalls to be context aware and divulge information of the topology based on the CPU namespace context that requests information from it. The aim of this talk is to propose a mechanism to isolate CPU topology information from applications that are running in a containerized environment. The potential utilities of having the proposed CPU isolation are as follows: 1. An interface for coherent information: a. Today, most applications that run on containers enforce their CPU limits requirements with the help of the cgroup interface. Cgroups is a control interface rather than an information interface; hence applications do not have a coherent view of the systems and the restrictions they incur. b. The problem extends beyond to coherency of information. Cloud runtime environments can requests for CPU runtime in millicores, which translate to using CFS period and quota to limit CPU runtime in cgroups. However, generally, applications operate in terms of threads with little to no cognizance of the millicore limit or its connotation. This can lead to unexpected running behaviors as well as have high impact on performance. Hence, having a coherent interface for divulge information based on constraints set by different subsystems is important. 2. Potential security and fair use implications on multi-tenant systems: a. A case where an actor can be in cognizance of the CPU node topology can schedule workloads and select CPUs such that the bus is flooded causing a Denial Of Service attack. b. A case wherein identifying the CPU system topology can help identify cores that are close to buses and peripherals such as GPUs to get an undue latency advantage from the rest of the workloads. Currently, all of these problems mentioned above can be mitigated with the use of light weight VMs - Kata Containers. However with the use of a CPU namespace, the isolation advantages that are provided by a Kata Container can be achieved without the heaviness of a virtual machine. A survey RFD had been posted here highlighting the problem, its impact and the current solutions that exist in the userspace as well as kernel: 🤍 🤍 Videos licensed as CC BY-NC-SA 4.0 linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see 🤍 Produced by Next Day Video Australia: 🤍 #linux.conf.au #linux #foss #opensource Fri Jan 14 14:40:00 2022 at Yuma Theatre

[ENG] Christian Brauner: "Making the Kernel and Udev Namespace Aware" / #LinuxPiter

555
12
1
00:57:59
05.03.2019

Making the Kernel and Udev Namespace Aware On non-embedded systems device management in Linux is a task split between kernelspace and userspace. Since the implementation of the devtmpfs pseudo filesystem the kernel is solely responsible for creating device nodes while udev in userspace is mainly responsible for consistent device naming and permissions. The devtmpfs filesystem however is not namespace aware. As such devices always belong to the initial user namespace. In times of SR-IOV enabled devices it is possible and needed to hand off devices to non-initial user namespaces. The last couple of months I’ve been working on making device management in the Kernel namespace aware. With recent patchsets of mine we have now reached that goal. As such userspace can now tie devices to a specific user namespace. This talk aims to do a couple of things. First, to give a more in-depth explanation of device management in Linux. Second, to explain the concept of namespace aware device management. Third, to explain the patchsets that were needed to make device management namespace aware. Christian Brauner Germany. Tuebingen Software Engineer Canonical Ltd. Christian Brauner is a kernel and core developer and maintainer of the LXD and LXC projects. He works mostly upstream on the Linux Kernel and lower-level problems. He is strongly committed to working in the open, and a strong proponent of Free Software. Christian has been active in the open source community for a long time and is a frequent speaker at various large events. Linux Piter 2018 🤍 Follow us Vk: 🤍 Facebook: 🤍 Twitter: 🤍 Instagram: 🤍 YouTube: 🤍 #LinuxPiter Organizers: IT-Events: 🤍 IT-Dominanta: 🤍 SILVER SPONSOR DELL EMC: 🤍 SILVER SPONSOR SEMRUSH 🤍 SILVER SPONSOR DINS 🤍 SILVER SPONSOR VEEAM 🤍

Cgroups, namespaces, and beyond: what are containers made from?

183020
2947
53
00:54:25
03.12.2015

with Jérôme Petazzoni, Tinkerer Extraordinaire, Docker Linux containers are different from Solaris Zones or BSD Jails: they use discrete kernel features like cgroups, namespaces, SELinux, and more. We will describe those mechanisms in depth, as well as demo how to put them together to produce a container. We will also highlight how different container runtimes compare to each other. Learn more about Docker 🤍 Docker is an open platform for developers and system administrators to build, ship and run distributed applications. With Docker, IT organizations shrink application delivery from months to minutes, frictionlessly move workloads between data centers and the cloud and can achieve up to 20X greater efficiency in their use of computing resources. Inspired by an active community and by transparent, open source innovation, Docker containers have been downloaded more than 700 million times and Docker is used by millions of developers across thousands of the world’s most innovative organizations, including eBay, Baidu, the BBC, Goldman Sachs, Groupon, ING, Yelp, and Spotify. Docker’s rapid adoption has catalyzed an active ecosystem, resulting in more than 180,000 “Dockerized” applications, over 40 Docker-related startups and integration partnerships with AWS, Cloud Foundry, Google, IBM, Microsoft, OpenStack, Rackspace, Red Hat and VMware.

287 - Linux Kernel - Containers and Namespaces - struct ns_common, container_of() API

1817
25
1
00:27:15
11.02.2018

Refer: 🤍 by Kiran Kankipati: contact: 🤍 checkout my other Youtube Channel: The FreeBSD Channel 🤍

Network Namespaces Basics Explained in 15 Minutes

71109
2301
163
00:15:32
20.05.2019

Get introduced to the basics of Network Namespaces in Linux. Access full course here: 🤍 Network Namespaces are used by containerization technologies like Docker to isolate network between containers. We’ll start with a simple host. As we know already containers are separated from the underlying host using namespaces. So what are namespaces? When the container is created we create a network namespace for it that way it has no visibility to any network-related information on the host. Within its namespace the container can have its own virtual interfaces, routing and ARP tables. The container has an interface. To create a new network namespace on a Linux host, run the ip nets add command. In this case we create two network namespaces read and blue. To list the network namespaces run the ip netns command. To list the interfaces on my host, I run the ip link command. I see that my host has the loopback interface and the eth0 interface. Now, how do we view the same within the network namespace we created? How do we run the same command within the red or blue namespace? Pre-fix the command with the command ip netns exec followed by the namespace name which is red. Now the ip link command will be executed inside the red namespace. Another way to do it is to add the –n option to the original ip link command. Both of these are the same, the second one is simpler though. But remember this only works if you intend to run the ip command inside the namespace. As you can see it only lists the loopback interface. You cannot see the eth0 interface on the host. So with namespaces we have successfully prevented the container from seeing the hosts interface. #NetworkNamespacesBasics #KodeKloud

Kernel Internals | namespaces | cgroups | Containers | Docker

2061
43
8
00:23:44
02.08.2021

In this video, we talk about the Kernel internals like namespaces, cgroups, unified file system (ufs), and capabilities, that give us modern containers. Contents 00:00 - Intro 01:00 - What is a container, really? 05:48 - namespaces 14:23 - cgroups 16:48 - Different namespaces 17:48 - Unified File System (ufs) 19:27 - Linux capabilities 23:27 - Next docker.md # namespaces - create isolated and independent instances of user space - 1 isolated instances = 1 containers - process id (pid) - network (net) - filesystem/mount (mnt) - inter-proc comm (ipc) - uts - user # control groups (cgroups) - group resources - apply limits - 1 container = 1 cgroup # unified file system (ufs) - r/o file system or block devices layered on top of one another - a single r/w top layer # capabilities - fine grain control over privileges a user or process gets - privileged = true - docker uses a white list References: - Cgroups, namespaces, and beyond: what are containers made from? 🤍 - Runtime privilege and Linux capabilities 🤍 #docker #namespaces #cgroups

Linux kernel Namespace Discovery

278
2
0
00:02:33
08.10.2020

A video introduction to the lxkns web app tool for discovering the various kernel namespaces in Linux hosts. GitHub project: 🤍

Linux Control Groups (Cgroups) and NameSpacing | CGroup vs NameSpacing

8200
113
6
00:05:12
16.06.2019

In this video, I am going to explain what is Cgroup and Name Spacing. You will get to know what are the resources which you can control using CGroup and how does NameSpacing work in Linux Operation system. Please follow below links to learn and watch more Watch how to create, manage, backup and migrate AWS EC2 Instance 🤍 Watch how to create and manage S3 bucket 🤍 Watch how to create and manage Elastic Load balancer, application load balancer, and classic load balancer 🤍 Watch how to create and manage AWS autoscaling 🤍 Watch how to create and manage VPC in AWS, How to migrate resources 🤍 Watch how to create and manage AWS Management Services like CloudWatch, Config, CloudTrail, Trust Advisor 🤍 Watch how to host and manage domains on Route53 and How to load balance traffic across regions 🤍 Watch how to create and manage IAM User, Group, Roles and Custom Policies 🤍 Watch how to create and Manage AWS RDS in Single and Multi-AZ

Current State of Kernel Audit and Linux Namespaces, Looking Ahead to Containers

6459
39
00:46:01
08.12.2016

Current State of Kernel Audit and Linux Namespaces, Looking Ahead to Containers - Richard Guy Briggs, Red Hat Namespaces have been around since the mount namespace was introduced over a decade ago and audit was introduced a couple of years later. Since then, audit's relationship with namespaces has evolved to restrict everything to PID and user initial namespaces for reporting integrity reasons, but then start to loosen things up again, first listening in all network namespaces, then permitting user audit message writes from any PID namespace. Looking forward, audit will need to run in containers, possibly for distributions, but more likely for docker micro-services to meet new certification requirements. Anchoring the audit daemon in the user namespace with its own rulespace and queue looks to make the most sense. Since the kernel has no concept of containers, identifying namespaces in audit messages will equip tracking tools to follow process events in containers. About Richard Guy Briggs Richard was an early adopter of Linux, having used it since 1992. He was also a founding board member of Ottawa Canada Linux Users Group and a speaker at the inaugural Ottawa Linux Symposium. Richard has written UNIX and Linux device drivers for telecom, video and network applications and embedded devices, having a good knowledge of IPsec protocols. He is comfortable in C, bash, Perl, with a soldering iron, oscilloscope, at a podium or chalkboard. He is now a Red Hat kernel security engineer.

User Namespaces Part 1, Phil Estes

8714
165
5
00:11:34
09.08.2017

Docker is an open platform for developers and system administrators to build, ship and run distributed applications. With Docker, IT organizations shrink application delivery from months to minutes, frictionlessly move workloads between data centers and the cloud and can achieve up to 20X greater efficiency in their use of computing resources. Inspired by an active community and by transparent, open source innovation, Docker containers have been downloaded more than 700 million times and Docker is used by millions of developers across thousands of the world’s most innovative organizations, including eBay, Baidu, the BBC, Goldman Sachs, Groupon, ING, Yelp, and Spotify. Docker’s rapid adoption has catalyzed an active ecosystem, resulting in more than 180,000 “Dockerized” applications, over 40 Docker-related startups and integration partnerships with AWS, Cloud Foundry, Google, IBM, Microsoft, OpenStack, Rackspace, Red Hat and VMware.

286 Linux Kernel net_device - possible_net_t nd_net - Network namespace Linux Containers

584
12
0
00:18:39
02.02.2018

Refer: 🤍 by Kiran Kankipati: contact: 🤍 checkout my other Youtube Channel: The FreeBSD Channel 🤍

Introduction to Linux Network Namespaces

103746
2107
214
00:25:51
01.07.2015

An introduction to Linux network namespaces. Twitter: 🤍davidmahler LinkedIn: 🤍 This video is lab style in that you can follow along on your own system or just watch. I walk through 2 examples mimicking how Mininet emulates hosts and how OpenStack provides DHCP services (they both use network namespaces) links: My Intro to OVS video - 🤍 My Intro to Mininet video - 🤍 references 🤍 🤍 🤍 Bob Lantz, Brian O'Connor Mininet presentation - 🤍 🤍 (networking documentation) 🤍 (linux networking entries) Commands used: Checking out L2/L3: ip link ip address ip route add an ip address to an interface: ip address add (ip/mask length) dev (intf name) turn an interface up ip link set dev (intf name) up = Add network namespace: ip netns add (name) Delete network namespace: ip netns del (name) Execute a command in a specific namespace: ip netns exec (name) (command to execute) Move a port to a namespace: ip link set (intf name) netns (net namespace name) What net namespace is a process ID running in? ip netns identify (pid) OVS add a vSwitch: ovs-vsctl add-br (name) add an interface to OVS instance: ovs-vsctl add-port (OVS name) (intf name) Create a veth pair: ip link add (end1 name) type veth peer name (end2 name) Place a port in a vlan: ovs-vsctl set port (intf name) tag=(vlan number) Make a port type internal: ovs-vsctl set port (intf name) type=internal

Lesson 4: Whats under the hood - Namespaces, Cgroups and OverlayFS

19827
342
17
00:10:13
20.06.2017

Learn what makes containers possible and whats under the hood. This video talks about the technologies such as namespaces, cgroups, overlayfs that docker uses. Learn devops for FREE with our 24 days Ultimate Devops Bootcamp 🤍 Check out our free courses at 🤍 Our backpacks give you a targeted learning paths with bundled, structured content. Check it out at 🤍

[RUS] Christian Brauner: "Making the Kernel and Udev Namespace Aware" / #LinuxPiter

149
1
0
00:57:59
05.03.2019

Making the Kernel and Udev Namespace Aware On non-embedded systems device management in Linux is a task split between kernelspace and userspace. Since the implementation of the devtmpfs pseudo filesystem the kernel is solely responsible for creating device nodes while udev in userspace is mainly responsible for consistent device naming and permissions. The devtmpfs filesystem however is not namespace aware. As such devices always belong to the initial user namespace. In times of SR-IOV enabled devices it is possible and needed to hand off devices to non-initial user namespaces. The last couple of months I’ve been working on making device management in the Kernel namespace aware. With recent patchsets of mine we have now reached that goal. As such userspace can now tie devices to a specific user namespace. This talk aims to do a couple of things. First, to give a more in-depth explanation of device management in Linux. Second, to explain the concept of namespace aware device management. Third, to explain the patchsets that were needed to make device management namespace aware. Christian Brauner Germany. Tuebingen Software Engineer Canonical Ltd. Christian Brauner is a kernel and core developer and maintainer of the LXD and LXC projects. He works mostly upstream on the Linux Kernel and lower-level problems. He is strongly committed to working in the open, and a strong proponent of Free Software. Christian has been active in the open source community for a long time and is a frequent speaker at various large events. Linux Piter 2018 🤍 Follow us Vk: 🤍 Facebook: 🤍 Twitter: 🤍 Instagram: 🤍 YouTube: 🤍 #LinuxPiter Organizers: IT-Events: 🤍 IT-Dominanta: 🤍 SILVER SPONSOR DELL EMC: 🤍 SILVER SPONSOR SEMRUSH 🤍 SILVER SPONSOR DINS 🤍 SILVER SPONSOR VEEAM 🤍

Linux Namespaces - their part to play in linux containers.

821
29
3
00:20:32
08.06.2020

Just a really quick into to linux namespaces, and a little info on how this works with relation to what we think of as containers. I cut out like 41 minutes of me talking about random tangentially related topics, thoughts and comments! Next time you all need help going to sleep, and don't mind nightmares... I will post the raw unedited version :D Have a fantastic week!

Namespace and Cgroups Overview

2234
153
14
00:19:26
29.03.2021

Today I am going to look at two of the three building blocks for containers in preparing to answer two questions I got on Fedora 34. 1) Are flatpaks safe to use given the security concerns a blogger published and 2) Could you do a video explaining how containers work. Well to do both of those I need to build up a platform on which containers (Not just Docker) are built on LInux. Support me on Patreon: 🤍 Follow me: Twitter 🤍djware55 Facebook:🤍 Discord: 🤍 Gitlab: 🤍 Werq by Kevin MacLeod Link: 🤍 License: 🤍 Industrial Cinematic by Kevin MacLeod Link: 🤍 License: 🤍 Music Used in this video "NonStop" Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0 License

Linux Security Lesson 5 NameSpaces

281
2
0
00:54:02
24.11.2017

This video is part of a training created for the engineering school ENSIBS in Vannes, Brittany, France.

NYLUG Presents: Michael Kerrisk on Linux User Namespaces

1215
24
0
01:42:16
15.12.2018

The Linux kernel's user namespaces feature 🤍 is one of the cornerstones in building many interesting technologies that allow isolation and sandboxing of applications, for example running containers without root privileges and sandboxes for web browser plug-ins. In this presentation, we'll look in detail at user namespaces, building up a basic understanding of what a user namespace is and going on to questions such as: what does being "superuser inside a user namespace" allow you do (and what does it not allow); what is the relationship between user namespaces and other namespace types (PID, UTS, network, etc.); and what are the security implications of user namespaces? We'll also explore some simple shell commands that can be used for creating and experimenting with user namespaces in order to better understand how they work. We'll conclude with a brief survey of some use cases for user namespaces.

Embedded Linux Conference 2013 - Namespaces for Security

2903
15
00:56:36
07.03.2013

The Linux Foundation Embedded Linux Conference 2013 Namespaces for Security By Jake Edge San Francisco, California Namespace support has been growing in the Linux kernel, so there are now a number of ways that namespaces can be used to help protect Linux systems (embedded or otherwise) from exploits. Using namespaces (in particular, the mount, network, and user namespaces) can isolate processes in ways that will prevent some types of vulnerabilities from compromising more of the system. Namespaces can be used as part of a "defense in depth" strategy to avoid the harm (or most of the harm) from exploits of vulnerable user-space applications. This talk will be for developers of embedded systems, particularly "system level" developers. It will assume some knowledge of C and Linux, but not require in-depth knowledge of either. Participants can expect to come away with a good foundation on what namespaces are and can do, along with concrete ideas of how to use namespaces in their projects.

Linux Audit: Moving Beyond Kernel Namespaces to Audit Container IDs - Richard Guy Briggs, Red Hat

784
16
00:37:23
01.09.2018

Linux Audit: Moving Beyond Kernel Namespaces to Audit Container IDs - Richard Guy Briggs, Red Hat Audit will need to run in containers, possibly for distributions, but more likely for docker micro-services to meet new certification requirements. Since the kernel has no concept of containers, identifying the container involved in audit messages will equip tracking tools to follow process events in containers. Namespaces were the primary focus of my container audit presentation two years ago in Toronto. Feedback and further work made it clear that no one namespace or subset could be depended on to be part of a container, so another approach was needed to track container activity. Several design proposals and several patchsets have been posted aimed at providing a method of tracking container activity by audit. Allowing multiple audit daemons, each with its own rule space and queue along with a system-wide audit message routing configuration is the current plan. About Richard Guy Briggs Richard was an early adopter of Linux, having used it since 1992. He was also a founding board member of Ottawa Canada Linux Users Group and a speaker at the inaugural Ottawa Linux Symposium. Richard has written UNIX and Linux device drivers for telecom, video and network applications and embedded devices, having a good knowledge of IPsec protocols. He is comfortable in C, bash, Perl, with a soldering iron, oscilloscope, at a podium or chalkboard. He is now a Red Hat kernel security engineer.

Understanding user namespaces - Michael Kerrisk

4200
92
6
00:53:30
18.04.2019

User namespaces are at the heart of many interesting technologies that allow isolation and sandboxing of applications, for example running containers without root privileges and sandboxes for web browser plug-ins. In this tutorial, we'll look in detail at user namespaces, building up a basic understanding of what a user namespace is and going on to questions such as: what does being “superuser inside a user namespace” allow you do (and what does it not allow); what is the relationship between user namespaces and other namespace types (PID, UTS, network, etc.); and what are the security implications of user namespaces? We'll also explore some simple shell commands that can be used for creating and experimenting with user namespaces in order to better understand how they work. Along the way, there will hopefully be time for a few live demos. - Michael Kerrisk is the author of the acclaimed book, “The Linux Programming Interface” (🤍 a guide and reference for system programming on Linux and UNIX. He contributes to the Linux kernel primarily via documentation, review, and testing of new kernel-user-space interfaces. He has contributed to the Linux man-pages project (🤍 since 2000, and been the project maintainer since 2004. Michael is a trainer and consultant, living in Munich, Germany. 🤍

Namespaces for Security - Jake Edge, LWN.net

833
10
00:41:24
03.10.2013

LinuxCon and CloudOpen North America, 2013: Namespace support has been growing in the Linux kernel, so there are now a number of ways that namespaces can be used to help protect Linux systems from exploits. Using namespaces (in particular, the mount, network, PID, and user namespaces) can isolate processes in ways that will prevent some types of vulnerabilities from compromising more of the system. Namespaces can be used as part of a "defense in depth" strategy to avoid the harm (or most of the harm) from exploits of vulnerable user-space applications. This talk will be for Linux developers, particularly "system level" developers. It will assume some knowledge of C and Linux, but not require in-depth knowledge of either. Participants can expect to come away with a good foundation on what namespaces are and can do, along with concrete ideas of how to use namespaces in their projects.

Filesystem mounts in user namespaces - Christian Brauner

1165
20
0
00:28:42
20.04.2020

User namespaces have become one of the most important security features for container workloads. But since they can be created by any user on the system they restrict access to a wide range of features including mounting of filesystems. In recent years a lot of work went into making mounts of filesystems from non-initial user namespace safe. Starting with kernel 4.18 it is possible to mount FUSE filesystems in user namespaces. It is expected that overlayfs will follow in future kernel releases. In this talk we will take a closer look at the infrastructure that was added to the kernel, the underlying security mechanisms, and upcoming filesystem that might be available to unprivileged containers in the future. Christian Brauner is a core developer and maintainer of the LXD and LXC projects. He works mostly upstream for Canonical as part of the Ubuntu Server team on the Linux Kernel and lower-level problems. He's been active in the open source community for a long time and is a frequent speaker at various large Linux events; he is also strongly committed to working in the open, and a strong proponent of Free Software. 🤍 🤍containercamp

Container Kernel Development - Christian Brauner, Canonical

294
5
00:50:35
11.09.2020

Container Kernel Development - Christian Brauner, Canonical

Containers unplugged: understanding user namespaces - Michael Kerrisk

5149
137
4
00:54:05
20.09.2019

User namespaces are at the heart of many interesting technologies that allow isolation and sandboxing of applications, for example running containers without root privileges and sandboxes for web browser plug-ins. In this presentation, we'll look in detail at user namespaces, building up a basic understanding of what a user namespace is and going on to questions such as: what does being “superuser inside a user namespace” allow you do (and what does it not allow); what is the relationship between user namespaces and other namespace types (PID, UTS, network, etc.); and what are the security implications of user namespaces? We'll also explore some simple shell commands that can be used for creating and experimenting with user namespaces in order to better understand how they work. Along the way, there will hopefully be time for a few live demos. You will likely find it helpful to attend my other presentation, "Linux namespaces", beforehand, but this is not essential. Save the date for NDC TechTown 2020 (31st of August - 3rd of September) Check out more of our talks at: 🤍 🤍

x224 Linux Kernel Dummy Network Interface /drivers/net/dummy.c Network Namespace Research Part-1

888
7
00:13:09
26.12.2020

LINUX KERNEL & SYSTEMS PROGRAMMING CLASSES 🤍 LINKS Linux Kernel Dummy Interface Driver source: 🤍 tldp.org | The Dummy Interface 🤍 VIDEOS 》 Online Course - Linux TUN/TAP virtual network interfaces 🤍 C O N T A C T kiran.kankipati🤍gmail.com V I S I T: Website The Linux Channel : 🤍 C H E C K O U T: The FreeBSD Channel 🤍 by Kiran Kankipati: contact: 🤍 #TheLinuxChannel #LinuxKernelNetworking #SystemsProgramming

Linux Network NameSpace Commands

2311
7
0
00:02:49
18.08.2015

A short video introduction of commands to manage Network NameSpace in Linux

Deepdive Containers - Kernel Sources and nsenter

39524
1524
63
00:11:46
26.02.2020

Let's play around with Docker a bit more. We learn about the nsenter command, how kernel code execution allows escaping from docker and we look at Linux Kernel source code of getpid(). Daniel Mitre's blog: 🤍 bocker: 🤍 Elixir: 🤍 Denis Andzakovic: 🤍 -=[ ❤️ Support ]=- → per Video: 🤍 → per Month: 🤍 -=[ 🐕 Social ]=- → Twitter: 🤍 → Website: 🤍 → Subreddit: 🤍 → Facebook: 🤍 -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

Address Space Isolation in the Linux Kernel

1675
22
2
00:43:49
30.07.2020

by James Bottomley and Mike Rapoport At: FOSDEM 2020 🤍 Security is a big problem especially in the cloud of container workloads. This presentation investigates improving security in the Linux kernel itself. The first target is securing sensitive application data, for instance, private keys. Address space isolation has been used to protect the kernel and userspace programs from each other since the invention of the virtual memory. Assuming that kernel bugs and therefore exploits are inevitable it might be worth isolating parts of the kernel to minimize damage that these exploits can cause. Moreover, restricted mappings in the kernel mode may improve mitigation of hardware speculation vulnerabilities. There are several ongoing efforts to use restricted address spaces in Linux kernel for various use cases: * speculation vulnerabilities mitigation in KVM * support for memory areas visible only in a single owning context * hardening of the Linux containers We are going to present the approach for the implementation of restricted mappings in the Linux kernel and how this implementation would be used with various use-cases. We are also going to take a closer look at possibility to assign an address space to the Linux namespaces, so that tasks running in namespace A have different view of kernel memory mappings than the tasks running in namespace B. For instance, by keeping all the objects in a network namespace private, we can achieve levels of isolation equivalent to running a separated network stack. Room: K.1.105 (La Fontaine) Scheduled start: 2020-02-01 15:00:00

NVMe® Zoned Namespace SSDs & The Zoned Storage Linux Software Ecosystem

1894
24
0
00:59:00
15.09.2020

The Zoned Namespace (ZNS) SSDs is a new NVMe™ Command Set, which exposes a zoned block storage interface between the host and the SSD. This allows more explicit data placement policies from the host, resulting in less over-provisioning, less write amplification and tighter I/O access latencies. In this talk, we will cover the ZNS command set, the Linux zoned storage ecosystem and the changes to enable ZNS SSDs. We will show how the Linux kernel storage stack enables ZNS, and how new and existing tools and libraries enable one to better utilize and take advantage of the ZNS SSD benefits. Presenters: Damien Le Moal, Western Digital and Javier González, Samsung

S2 Kernel User Space,Process,Thread,Namespace,Cgroup

320
7
1
00:09:59
13.02.2021

Arabic: Kernel & User Space, Processes, Linux Threads, Namespaces, Cgroups Google Drive Slides: 🤍

Overview and Recent Developments: Namespaces and Capabilities - Christian Brauner, Canonical Ltd.

1485
29
00:35:22
31.10.2018

Overview and Recent Developments: Namespaces and Capabilities - Christian Brauner, Canonical Ltd.  This presentation will cover the current state of namespaces and capabilities. We will cover recent developments and take a look at new features currently being developed and touch on some open problems. About Christian Brauner Christian Brauner is a kernel and core developer and maintainer of the LXD and LXC projects. He works mostly upstream on the Linux Kernel and lower-level problems. He is strongly committed to working in the open, and a strong proponent of Free Software. Christian has been active in the open source community for a long time and is a frequent speaker at various large events: Nvidia GPU Technology Conference, San José 2018 FOSDEM 2016, 2017, 2018 Linux Piter 2017 Linux Plumbers 2016, 2017 Open Source Summit, NA 2017, 2018 Open Source Summit, EU 2017, 2018 Container Camp, UK 2018 Container Camp, Sydney 2017

Cgroup Slab Memory Controller and Time Namespace - DevConf.CZ 2021

155
1
0
00:21:25
14.03.2021

Speaker: Waiman Long Control group (cgroup) and namespace are the two major features in the Linux kernel that make containers possible. There are some exciting new cgroup and namespace features in the latest Linux kernel that can improve the container experience. This talk will focus on two major features that are being back-ported to the RHEL8 kernel, namely the new cgroup slab memory controller and time namespace. This talk will describe what these features are and some discussion on their underlying implementation as well as what improvement they will bring to the container experience. Schedule: 🤍

Linux, Namespaces, Cgroups и Контейнеры

293
12
1
00:23:57
27.04.2022

Фрагмент 1-й лекции нашего курса «Деплой приложений в Kubernetes»: 🤍 Содержание: В чем выражается изоляция контейнеров друг от друга 0:00 Что такое дескрипторы 1:18 Основа и суть контейнеров 3:40 Запуск процесса в namespace другого процесса 5:15 Минусы контейнеров по сравнению с ВМ 7:18 Главные отличия контейнера от ВМ 9:07 Как особенность ОС интегрируется в образ и что вообще входит в образ 10:45 Control Groupes, cgroups 13:44 Задача Docker: как в целом все работает? 16:55 chroot 22:15 Рассказывает наш ведущий преподаватель Игорь Латкин. Не пропусти будущие наборы на курс, вступай в чат: 🤍 Сайт Школы Metaclass: 🤍

Назад
Что ищут прямо сейчас на
namespace in linux kernel car mechanic drag wii usb loader gx голос без обработки linkedin kya hai Євромайдан j.i. Mocha Pro 5 Among us kanya sumangla khandwa ibc24 Bubblegun Arjun Scene เสียดายอ้ายบ่่ปึก Krokor Vlad episodul 1 bjp funny belgesel izle unm clan boss ဟန်ထွန်း