Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Linux Namespace
Search
Masami Ichikawa
September 28, 2014
Programming
94
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Linux Namespace
Masami Ichikawa
September 28, 2014
More Decks by Masami Ichikawa
See All by Masami Ichikawa
cgroupsとプロセス生成・終了処理
masami256
1
1.4k
Linux の Debug 機能
masami256
0
110
Linux Namespaces
masami256
0
82
slub: alloc and free
masami256
0
99
SLUB data structures
masami256
0
130
SystemV IPC
masami256
0
140
とある帽子の大蛇料理Ⅱ
masami256
0
100
Gnomeとdogtail
masami256
0
110
x86 とコンテキストスイッチ
masami256
0
300
Other Decks in Programming
See All in Programming
Performance Engineering for Everyone
elenatanasoiu
0
260
OS アップデート対応の取り組み方がもっと共有されてほしい
andpad
0
110
Contextとはなにか
chiroruxx
1
390
なぜ関数型プログラミングで「型」と「証明」が語られるのか #fp_matsuri
kajitack
3
760
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
17
8.8k
SREは、MCPとSRE Agentをこう使え!
kazumax55
0
150
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
170
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
300
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
190
これからAgentCoreを触る方へトレンドはGatewayです
har1101
6
480
Featured
See All Featured
Building an army of robots
kneath
306
46k
A better future with KSS
kneath
240
18k
Git: the NoSQL Database
bkeepers
PRO
432
67k
First, design no harm
axbom
PRO
2
1.2k
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
Navigating Weather and Climate Data
rabernat
0
290
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
2
330
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.9k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
180
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
260
Code Review Best Practice
trishagee
74
20k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Transcript
-JOVY/BNFTQBDF !NBTBNJ
5BCMFPG$POUFOUT w /BNFTQBDFPWFSWJFX w 4ZTUFNDBMMT w LFSOFMJNQMFNFOUBUJPO w /BNFTQBDF&YBNQMF
OBNFTQBDF PWFSWJFX
/BNFTQBDF w Ϧιʔε w ॴҦίϯςφܕԾԽΛ࣮ݱ͢Δ্Ͱॏཁͳػ ೳͷҰͭ
3FTPVSDF w /BNFTQBDFʹ͓͚ΔϦιʔε w DQVNFNPSZͱݴͬͨཧతͳܭࢉࢿݯͰ ͳ͍ w ϗετ໊ɺωοτϫʔΫઃఆɺQJEͳͲͷΧʔω ϧ͕ѻ͏σʔλ
'FBUVSF w ϓϩηεؒͰΧʔωϧͷϦιʔεΛڞ༗ w GPSL ͷ࣮ߦ࣌ϓϩηεͱϦιʔεΛڞ༗ w OBNFTQBDFຖʹಠཱͨ͠Ϧιʔε w
໊લۭؒͷঢ়ଶΛม͑ΔΑ͏ͳॲཧΛߦͬͯ ผͷ໊લۭؒʹଐ͢ΔϓϩηεʹӨڹٴ ͳ͍
/BNFTQBDFSFQSFTFOUBUJPO w ໊લۭؒϑΝΠϧͱͯ͠Ϣʔβʔۭ͔ؒΒݟ͑ Δ w TFUOT Ͱར༻ masami@miko:~$ ls
-l /proc/self/ns total 0 dr-x--x--x 2 masami masami 0 Aug 31 00:15 . dr-xr-xr-x 8 masami masami 0 Aug 31 00:15 .. lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 ipc -> ipc:[4026531839] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 mnt -> mnt:[4026531840] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 net -> net:[4026531957] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 pid -> pid:[4026531836] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 user -> user:[4026531837] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 uts -> uts:[4026531838]
/BNFTQBDFT w VUT w OFU w QJE w NOU w
JQD w VTFS
VUTOBNFTQBDF w ϗετ໊ɺυϝΠϯ໊ͳͲͷσʔλ w Χʔωϧόʔδϣϯ͋Δ͕มߋෆՄ w ήετ͕ࣗϗετ໊Λม͑ͯϗετ04ଆʹ ӨڹͰͳ͍
OFUOBNFTQBDF w ωοτϫʔΫؔ࿈ͷϦιʔε w /FUXPSLEFWJDF w *1BEESFTT w 3PVUJOHUBCMF w
'JMUFSJOHUBCMF w 1PSUOVNCFS w QSPDOFU w FUDʜ
QJEOBNFTQBDF w ϓϩηεͱผͷQJEΛར༻Մೳʹ w OBNFTQBDF"ͷQJEɿͱOBNFTQBDF#ͷ QJEɿผͷଘࡏ w QSPDGTΛదʹ͚ΕଞͷOBNFTQDFͷϓϩ ηεΛࢀরͰ͖ͳ͘ͳΔ
NOUOBNFTQBDF w Ϛϯτ͍ͯ͠ΔϑΝΠϧγεςϜΛද͢ w ໊લۭؒ࣌ϓϩηεͷNOUOBNFTQBDF Λίϐʔ w ޙʹϓϩηε͕VTCTUJDLͳͲΛϚϯ τͯ͠ήετଆ͔Βݟ͑ͳ͍
JQDOBNFTQBDF w 4ZTUFN7*1$Ͱ༻͢ΔϦιʔεΛ w ڞ༗ϝϞϦɺηϚϑΥɺϝοηʔδΩϡʔ
VTFSOBNFTQBDF w ϗετͱผͷVJEHJEମܥΛ࣋ͯΔ w ϗετͷVJEHJEͱήετͷVJEHJEϚοϐϯά͕ඞཁ w ઃఆ͠ͳ͍ͱ͕ઃఆ͞ΕΔ w HSPVQT൪ͷHSPVQೖΓ͢Δ w
ଞͷOBNFTQBDFͱҧ͍ɺಠཱ͍ͯ͠ͳ͍ w ଞͷOBNFTQBDFۭؒݸʑʹVTFSOBNFTQBDFΛ͍࣋ͬͯΔ w ֤OBNFTQBDFͷίϐʔॲཧؔVTFSOTΛड͚औΔͷͰ HFU@VTFS@OT ͰࢀরΧϯτΛ૿͍ͯ͠Δ
VJEHJENBQQJOH w ϚοϐϯάΛߦ͏γεςϜίʔϧແ͍ w ҎԼͷϑΝΠϧΛ༻͍ͯϚοϐϯάΛ࣮ࢪ w QSPDQJEVJE@NBQ w QSPDQJEHJE@NBQ
VJEHJENBQQJOH w ήετͷVJEΛϗετͷVJEʹϚοϐϯά w HJEಉ༷ʹ masami@miko:~$ ./a.out -U -M '0
1000 1' -G '0 1000 1' bash root@miko:~# id uid=0(root) gid=0(root) groups=0(root),65534 root@miko:~# cat /proc/self/uid_map /proc/self/gid_map 0 1000 1 0 1000 1 root@miko:~# touch test.txt root@miko:~# ls -la test.txt -rw-r--r-- 1 root root 0 Aug 31 12:00 test.txt root@miko:~# """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" masami@miko:~$ ls -la test.txt -rw-r--r-- 1 masami masami 0 Aug 31 12:00 test.txt masami@miko:~$
*OBOVTFSOBNFTQBDF wϚοϐϯάͳ͠ͰVTFSOBNFTQBDFΛVOTIBSF I have no name!@miko:/proc/640$ ls -la /usr/bin/sudo -rwsr-xr-x
1 65534 65534 142792 May 9 15:58 /usr/bin/sudo ! w௨ৗͷঢ়ଶ I have no name!@miko:/proc/640$ exit logout masami@miko:~$ ls -la /usr/bin/sudo -rwsr-xr-x 1 root root 142792 May 9 15:58 /usr/bin/sudo
IPXUPVJEHJENBQQJOH DMPOF ΛݺͿ $-0/&@/&864&3ΛqBHTʹηοτ FYFD ܥͷγεςϜίʔϧΛݺͿલʹϚοϐϯάΛߦ͏
QSPDDIJMEQSPDFTTQJEVJE@NBQ QSPDDIJMEQSPDFTTQJEHJE@NBQ FYFD ܥͷؔΛݺΜͰ৽ͨͳϓϩάϥϜΛ࣮ߦ
TZTUFNDBMMT
TZTUFNDBMMT w DMPOF w VOTIBSF w
TFUOT
DMPOF w DMPOF ͰQJEOBNFTQBDFΛͨ͠ w ࢠϓϩηε͔ΒݟΔͱࣗͷQJEͱͯ͠ݟ͑Δ w
ϓϩηε͔ΒϓϩηεͷQJEOBNFTQBDFͰͷ QJE͕ৼΒΕͨΑ͏ʹݟ͑Δ w DMPOF ͷΓΛͬͯXBJUQJE Ͱͭ͜ͱ ͕Ͱ͖Δ
DMPOF $-0/&@/&8654 VUTOBNFTQBDF $-0/&@/&81*% QJEOBNFDQBDF $-0/&@/&8/4 NOUOBNFTQBDF $-0/&@/&8/&5 OFUOBNFTQBDF
$-0/&@/&8*1$ JQDOBNFTQBDF $-0/&@/&864&3 VTFSOBNFTQBDF DMPOF Ͱ༻͢ΔϑϥάTDIFEIΛJODMVEFͯ͠༻Ͱ͖Δ͕ɺ $-0/&@/&864&3@(/6@4063$&ΛEFpOF͢Δඞཁ͋Γ
VOTIBSF w ࣗΛϓϩηεͷ໊લۭ͔ؒΒͤ͞Δ w QJEOBNFTQBDFͰ͖ͳ͍ w Ұ࣌ظαϙʔτ͞Ε͍͕͔ͯͨΒର֎ʹͳͬͨ w QJEOT%POUIBWFVOTIBSF
$-0/&@/&81*% JNQMZ $-0/&@5)3&"% w IUUQTHJUIVCDPNUPSWBMETMJOVYDPNNJU FDFCECGDCGEEF w VOTIBSF ͷ߹ΤϥʔʹͳΒͳ͍͕Կ͓͖ͳ͍
TFUOT w طଘͷ໊લۭؒʹࣗΛࢀՃͤ͞Δ w DMPOF ɺVOTIBSF ͷ໊લۭ͔ؒΒͯ͠৽نͷ
໊લۭؒΛ࣋ͭΑ͏ʹͳΔ w ໊લۭؒͷࢀՃʹରͷ໊લۭؒͷϑΝΠϧσΟεΫϦϓ λΛ༻͢Δ w ผͷQJEOBNFTQBDFʹࢀՃ͢Δ߹ɺϓϩηεࣗͷQJE มΘΒͳ͍ w ࢠϓϩηε͔ΒQJE͕มΘΔ
LFSOFM JNQMFNFOUBUJPO
LFSOFMOTQSPYZD w OBNFTQBDFڞ௨ͷॲཧΛߦ͏ w OBNFTQBDFͷ࡞ɺίϐʔͳͲ w ݸʑͷOBNFTQBDFʹ͍ͭͯͦΕͧΕ͕࣮ࢪ
LFSOFMOTQSPYZD w લεϥΠυͰOBNFTQBDFڞ௨ͱઆ໌͚ͨ͠Ͳ w VTFSOBNFTQBDFѻ͍ͬͯͳ͍ w VTFSOBNFTQBDFDSFEDݸʑͷ OBNFTQBDF͕ཧ
TUSVDUOTQSPYZ w ֤OBNFTQBDFͷσʔλΛอ࣋͢Δߏମ ! struct nsproxy { atomic_t count; struct
uts_namespace *uts_ns; struct ipc_namespace *ipc_ns; struct mnt_namespace *mnt_ns; struct pid_namespace *pid_ns_for_children; struct net *net_ns; }; wVTFSOBNFTQBDFTUSVDUDSFEʹͯཧ wTUSVDUUBTL@TUSVDUͷSFBM@DSFBE͔ΒVTFSOBNFTQBDFΛࢀর
DPNNPOOBNFTQBDF TUSVDUVSF w ֤OBNFTQBDFҎԼͷมΛඞͣ࣋ͭ w ࢀরΧϯλ w QSPDGTͷJOPEF൪߸ w VTFSOBNFTQBDF
w VTFSOBNFTQBDFͷ߹ϓϩηεͷϙΠϯλ
JOJU@OTQSPYZ w ࠷ॳͷϓϩηεʹઃఆ͞ΕΔOTQSPYZߏମ w ͜ΕҎ߱GPSLܥؔͷݺͼग़࣌͠ʹ͜ͷߏ ମͷࢀরΧϯλΛΠϯΫϦϝϯτ w OBNFTQBDFΛ͚ͳ͍߹ɿʣ
TUSVDUOTQSPYZ w NPVOUOBNFTQBDFҎ֎Ϗϧυ࣌ʹઃఆ struct nsproxy init_nsproxy = { .count =
ATOMIC_INIT(1), .uts_ns = &init_uts_ns, #if defined(CONFIG_POSIX_MQUEUE) || defined(CONFIG_SYSVIPC) .ipc_ns = &init_ipc_ns, #endif .mnt_ns = NULL, .pid_ns_for_children = &init_pid_ns, #ifdef CONFIG_NET .net_ns = &init_net, #endif };
*OJUJBMJ[FNOU@OT wJOJU@NPVOU@USFF ͔Β͕࣮ࡍͷॲཧ start_kernel() @init/main.c --> vfs_caches_init() @fs/dcache.c --> mnt_init()
@fs/namespace.c --> init_mount_tree() @fs/namespace.c --> create_mnt_ns() @fs/namespace.c
*OJUJBMJ[FVTFS@OT w VTFS@OTTUSVDUDSFEͷσʔλॳظԽ࣌ʹઃఆ struct cred init_cred = { .usage =
ATOMIC_INIT(4), ~ུ~ .cap_bset = CAP_FULL_SET, .user = INIT_USER, .user_ns = &init_user_ns,
DPQZ@OBNFTQBDF w JOUDPQZ@OBNFTQBDFT VOTJHOFEMPOHqBHT TUSVDU UBTL@TUSVDU UTL w DPQZ@QSPDFTT
ΑΓݺΕΔ w qBHʹ$-0/&@/&8999͕ηοτ͞Ε͍ͯͳ͚ΕΧ ϨϯτϓϩηεͷOTQSPYZߏମͷࢀরΧϯλΛ w ͦ͏Ͱͳ͚ΕDSFBUF@OFX@OBNFTQBDF Ͱ֘͢Δ OBNFTQBDFΛ࡞͢Δ
TXJUDI@UBTL@OBNFTQBDF w WPJETXJUDI@UBTL@OBNFTQBDFT TUSVDU UBTL@TUSVDU UTL TUSVDUOTQSPYZ OFX w
ΧϨϯτϓϩηεͷ໊લۭؒΓସ͑Λߦ͏ w VOTIBSF Ͱ༻ w ϓϩηεͷFYJU ࣌ʹ༻ w Γସ͑ઌͷOBNFTQBDFʹ/6--Λઃఆ
TXJUDI@UBTL@OBNFTQBDF w OBNFTQBDFΛΓସ͑ͨ݁ՌɺΓସ͑લͷ OBNFTQBDFΛࢀর͢Δϓϩηε͕͍ͳ͘ͳͬͨ ߹ w GSFF@OTQSPYZ ΛݺΜͰOBNFTQBDFΛղ์
GSFF@OTQSPYZ w WPJEGSFF@OTQSPYZ TUSVDUOTQSPYZ OT w OBNFTQBDFͷղ์ w ֤OBNFTQBDFͷࢀরΧϯλΛσΫϦϝϯτ
w OTQSPYZߏମͷΠϯελϯεղ์ w ௨ৗϓϩηεͷFYJU࣌ʹ࣮ߦ͞ΕΔ
VOTIBSF@OTQSPYZ@OBNFTQBDF w JOUVOTIBSF@OTQSPYZ@OBNFTQBDFT VOTJHOFE MPOHVOTIBSF@qBHT TUSVDUOTQSPYZ OFX@OTQ TUSVDUDSFE OFX@DSFE TUSVDU
GT@TUSVDU OFX@GT w VOTIBSF ͷ࣮ߦ࣌ʹݺΕΔ w DSFBUF@OFX@OBNFTQBDF Ͱ໊લۭؒΛ৽نʹ ࡞
QSPDGTPQFSBUJPOT w OBNBTQBDFQSPDGTͰදݱ͞ΕΔͷͰ͜ΕΒΛૢ࡞͢Δؔ Λొ w TFUOT ͕͏ͷ͕͜ΕΒ w ֤OBNFTQBDFຖʹొ
struct proc_ns_operations { const char *name; int type; void *(*get)(struct task_struct *task); void (*put)(void *ns); int (*install)(struct nsproxy *nsproxy, void *ns); unsigned int (*inum)(void *ns); };
QSPDGTPQFSBUJPOT w HFU w ରOBNFTQBDFͷࢀরΧϯλΛ w QVU
w ରOBNFTQBDFͷࢀরΧϯλΛ w JOTUBMM w ݱࡏͷOBNFTQBDFͷࢀরΧϯλΛ͠ɺ৽͍͠OBNFTQBDFΛOTQSPYZߏ ମʹηοτ w JOVN w OBNFTQBDFͷJOPEF൪߸Λฦ͢
DMPOF w OBNFTQBDFͷૢ࡞ͱݴͬͯDMPOF ݻ༗ͰԿ͔͕͋ΔΘ ͚Ͱແ͍ w DPQZ@QSPDFTT ͔ΒҎԼͷؔΛݺͿ w DPQZ@DSFET
w VTFS@OTͷίϐʔ৽ن࡞ w DPQZ@OBNFTQBDF w طଘͷ֤OBNFTQBDFͷίϐʔ৽ن࡞
TFUOT ೖΓ͍ͨOBNFTQBDFͷpMFߏମ͔ΒJOPEFΛऔಘ͠ɺ֘ OBNFTQBDFͷQSPD@OT@PQFSBUJPOTߏମऔಘ DSFBUF@OFX@OBNFTQBDF ͰOTQSPYZͷ࡞ w ɹqBHTʹΛ͢ͷͰطଘͷOBNFTQBDFͷࢀরΧϯλ ͕૿͑Δ͚ͩ QSPD@OT@PQFSBUJPOTߏମͷJOTUBMM ΛݺΜͰOTQSPYZʹର
ͷOBNFTQBDFΛઃఆ TXJUDI@UBTL@OBNFTQBDFT ͰOBNFTQBDFͷΓସ͑Λ࣮ࢪ
VOTIBSF VOTIBSF͢ΔOBNFTQBDFͷऔಘ ϑΝΠϧγεςϜͷVOTIBSF DVSSFOUλεΫͷGT@TUSVDUߏମ͕ίϐʔ͞ΕΔ ϑΝΠϧσΟεΫϦϓλͷίϐʔ w ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλΛEVQ@GE Ͱίϐʔ VTFSOBNFTQBDFͷ w
$-0/&@/&864&3͕ηοτ͞Ε͍ͯͳ͚ΕԿ͠ͳ͍
VOTIBSF ! VOTIBSF@OTQSPYZ@OBNFTQBDFT ͰͦͷଞOBNFTQBDFͷ w ࣮ࡍͷॲཧDSFBUF@OFX@OBNFTQBDFT Ͱ࣮ࢪ ্ه·Ͱͷૢ࡞ͰԿ͔͠Β࣮ߦ͕ߦΘΕͨ߹ҎԼͷॲཧΛ࣮ࢪ w OBNFQBDF
OTQSPYZ ͷมߋ͕͋ͬͨ߹TXJUDI@UBTL@OBNFTQBDFT Ͱ Γସ͑ w GT@TUSVDUΛίϐʔͨ͠߹DVSSFOUλεΫͷGT@TUSVDUߏମΓସ͑ ɹϑΝΠϧσΟεΫϦϓλΛίϐʔͨ͠߹DVSSFOUλεΫͷϑΝΠϧσΟεΫϦ ϓλΓସ͑ ɹVTFS@OTͷVOTIBSFΛͨ͠߹TUSVDUDSFEͷΓସ͑
/BNFTQBDF&YBNQMF w /BNFTQBDFػೳͰͲͷΑ͏ʹมΘ͔ͬͨ
HFUQJE w UBTL@TUSVDUߏମͷϝϯόม QJE Λͦͷ·· ฦ٫Մೳ #define getpid() (current->pid)
HFUQJE wϓϩηε͕ॴଐ͍ͯ͠ΔQJEOBNFTQBDFͷQJEΛ ฦ͢ඞཁ͕͋Δ getpid() -> task_tgid_vnr() -> task_tgid() ->
pid_vnr() -> task_active_pid_ns() -> task_pid() -> ns_of_pid() -> pid_nr_ns()
DIPXO static int chown_common(struct dentry * dentry, uid_t user,
gid_t group) { ~தུʙ if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) group = inode->i_gid; newattrs.ia_mode = inode->i_mode; newattrs.ia_uid = user; newattrs.ia_gid = group;
DIPXO static int chown_common(struct path *path, uid_t user, gid_t
group) { ~தུʙ uid = make_kuid(current_user_ns(), user); gid = make_kgid(current_user_ns(), group); ! newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { if (!uid_valid(uid)) return -EINVAL; newattrs.ia_valid |= ATTR_UID; newattrs.ia_uid = uid; } if (group != (gid_t) -1) { if (!gid_valid(gid)) return -EINVAL; newattrs.ia_valid |= ATTR_GID; newattrs.ia_gid = gid; }
3FGFSFODF w -9$ͰֶͿίϯςφೖʵܰྔԾԽڥΛ࣮ݱ͢Δٕज़ w IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST w /BNFTQBDFTJO0QFSBUJPOTFSJFT w IUUQMXOOFU"SUJDMFTTFSJFT@JOEFY w
1SPGFTTJPOBM-JOVY,FSOFM"SDIJUFDUVSF w IUUQXXXBNB[PODPKQEQ#5*$;