Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Linux Namespace
Search
Masami Ichikawa
September 28, 2014
Programming
0
62
Linux Namespace
Masami Ichikawa
September 28, 2014
Tweet
Share
More Decks by Masami Ichikawa
See All by Masami Ichikawa
cgroupsとプロセス生成・終了処理
masami256
1
1.2k
Linux の Debug 機能
masami256
0
79
Linux Namespaces
masami256
0
49
slub: alloc and free
masami256
0
72
SLUB data structures
masami256
0
95
SystemV IPC
masami256
0
110
とある帽子の大蛇料理Ⅱ
masami256
0
72
Gnomeとdogtail
masami256
0
83
x86 とコンテキストスイッチ
masami256
0
220
Other Decks in Programming
See All in Programming
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
bash0c7
1
520
設計やレビューに悩んでいるPHPerに贈る、クリーンなオブジェクト設計の指針たち
panda_program
6
1.5k
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
630
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
240
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
yodakeisuke
0
110
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
1
690
童醫院敏捷轉型的實踐經驗
cclai999
0
190
エンジニア向け採用ピッチ資料
inusan
0
160
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
hisuzuya
1
490
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
seike460
PRO
1
330
AIコーディング道場勉強会#2 君(エンジニア)たちはどう生きるか
misakiotb
1
250
PicoRuby on Rails
makicamel
2
100
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
What's in a price? How to price your products and services
michaelherold
246
12k
VelocityConf: Rendering Performance Case Studies
addyosmani
330
24k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
670
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
5
220
Docker and Python
trallard
44
3.4k
The Cult of Friendly URLs
andyhume
79
6.5k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Transcript
-JOVY/BNFTQBDF !NBTBNJ
5BCMFPG$POUFOUT w /BNFTQBDFPWFSWJFX w 4ZTUFNDBMMT w LFSOFMJNQMFNFOUBUJPO w /BNFTQBDF&YBNQMF
OBNFTQBDF PWFSWJFX
/BNFTQBDF w Ϧιʔε w ॴҦίϯςφܕԾԽΛ࣮ݱ͢Δ্Ͱॏཁͳػ ೳͷҰͭ
3FTPVSDF w /BNFTQBDFʹ͓͚ΔϦιʔε w DQVNFNPSZͱݴͬͨཧతͳܭࢉࢿݯͰ ͳ͍ w ϗετ໊ɺωοτϫʔΫઃఆɺQJEͳͲͷΧʔω ϧ͕ѻ͏σʔλ
'FBUVSF w ϓϩηεؒͰΧʔωϧͷϦιʔεΛڞ༗ w GPSL ͷ࣮ߦ࣌ϓϩηεͱϦιʔεΛڞ༗ w OBNFTQBDFຖʹಠཱͨ͠Ϧιʔε w
໊લۭؒͷঢ়ଶΛม͑ΔΑ͏ͳॲཧΛߦͬͯ ผͷ໊લۭؒʹଐ͢ΔϓϩηεʹӨڹٴ ͳ͍
/BNFTQBDFSFQSFTFOUBUJPO w ໊લۭؒϑΝΠϧͱͯ͠Ϣʔβʔۭ͔ؒΒݟ͑ Δ w TFUOT Ͱར༻ masami@miko:~$ ls
-l /proc/self/ns total 0 dr-x--x--x 2 masami masami 0 Aug 31 00:15 . dr-xr-xr-x 8 masami masami 0 Aug 31 00:15 .. lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 ipc -> ipc:[4026531839] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 mnt -> mnt:[4026531840] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 net -> net:[4026531957] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 pid -> pid:[4026531836] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 user -> user:[4026531837] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 uts -> uts:[4026531838]
/BNFTQBDFT w VUT w OFU w QJE w NOU w
JQD w VTFS
VUTOBNFTQBDF w ϗετ໊ɺυϝΠϯ໊ͳͲͷσʔλ w Χʔωϧόʔδϣϯ͋Δ͕มߋෆՄ w ήετ͕ࣗϗετ໊Λม͑ͯϗετ04ଆʹ ӨڹͰͳ͍
OFUOBNFTQBDF w ωοτϫʔΫؔ࿈ͷϦιʔε w /FUXPSLEFWJDF w *1BEESFTT w 3PVUJOHUBCMF w
'JMUFSJOHUBCMF w 1PSUOVNCFS w QSPDOFU w FUDʜ
QJEOBNFTQBDF w ϓϩηεͱผͷQJEΛར༻Մೳʹ w OBNFTQBDF"ͷQJEɿͱOBNFTQBDF#ͷ QJEɿผͷଘࡏ w QSPDGTΛదʹ͚ΕଞͷOBNFTQDFͷϓϩ ηεΛࢀরͰ͖ͳ͘ͳΔ
NOUOBNFTQBDF w Ϛϯτ͍ͯ͠ΔϑΝΠϧγεςϜΛද͢ w ໊લۭؒ࣌ϓϩηεͷNOUOBNFTQBDF Λίϐʔ w ޙʹϓϩηε͕VTCTUJDLͳͲΛϚϯ τͯ͠ήετଆ͔Βݟ͑ͳ͍
JQDOBNFTQBDF w 4ZTUFN7*1$Ͱ༻͢ΔϦιʔεΛ w ڞ༗ϝϞϦɺηϚϑΥɺϝοηʔδΩϡʔ
VTFSOBNFTQBDF w ϗετͱผͷVJEHJEମܥΛ࣋ͯΔ w ϗετͷVJEHJEͱήετͷVJEHJEϚοϐϯά͕ඞཁ w ઃఆ͠ͳ͍ͱ͕ઃఆ͞ΕΔ w HSPVQT൪ͷHSPVQೖΓ͢Δ w
ଞͷOBNFTQBDFͱҧ͍ɺಠཱ͍ͯ͠ͳ͍ w ଞͷOBNFTQBDFۭؒݸʑʹVTFSOBNFTQBDFΛ͍࣋ͬͯΔ w ֤OBNFTQBDFͷίϐʔॲཧؔVTFSOTΛड͚औΔͷͰ HFU@VTFS@OT ͰࢀরΧϯτΛ૿͍ͯ͠Δ
VJEHJENBQQJOH w ϚοϐϯάΛߦ͏γεςϜίʔϧແ͍ w ҎԼͷϑΝΠϧΛ༻͍ͯϚοϐϯάΛ࣮ࢪ w QSPDQJEVJE@NBQ w QSPDQJEHJE@NBQ
VJEHJENBQQJOH w ήετͷVJEΛϗετͷVJEʹϚοϐϯά w HJEಉ༷ʹ masami@miko:~$ ./a.out -U -M '0
1000 1' -G '0 1000 1' bash root@miko:~# id uid=0(root) gid=0(root) groups=0(root),65534 root@miko:~# cat /proc/self/uid_map /proc/self/gid_map 0 1000 1 0 1000 1 root@miko:~# touch test.txt root@miko:~# ls -la test.txt -rw-r--r-- 1 root root 0 Aug 31 12:00 test.txt root@miko:~# """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" masami@miko:~$ ls -la test.txt -rw-r--r-- 1 masami masami 0 Aug 31 12:00 test.txt masami@miko:~$
*OBOVTFSOBNFTQBDF wϚοϐϯάͳ͠ͰVTFSOBNFTQBDFΛVOTIBSF I have no name!@miko:/proc/640$ ls -la /usr/bin/sudo -rwsr-xr-x
1 65534 65534 142792 May 9 15:58 /usr/bin/sudo ! w௨ৗͷঢ়ଶ I have no name!@miko:/proc/640$ exit logout masami@miko:~$ ls -la /usr/bin/sudo -rwsr-xr-x 1 root root 142792 May 9 15:58 /usr/bin/sudo
IPXUPVJEHJENBQQJOH DMPOF ΛݺͿ $-0/&@/&864&3ΛqBHTʹηοτ FYFD ܥͷγεςϜίʔϧΛݺͿલʹϚοϐϯάΛߦ͏
QSPDDIJMEQSPDFTTQJEVJE@NBQ QSPDDIJMEQSPDFTTQJEHJE@NBQ FYFD ܥͷؔΛݺΜͰ৽ͨͳϓϩάϥϜΛ࣮ߦ
TZTUFNDBMMT
TZTUFNDBMMT w DMPOF w VOTIBSF w
TFUOT
DMPOF w DMPOF ͰQJEOBNFTQBDFΛͨ͠ w ࢠϓϩηε͔ΒݟΔͱࣗͷQJEͱͯ͠ݟ͑Δ w
ϓϩηε͔ΒϓϩηεͷQJEOBNFTQBDFͰͷ QJE͕ৼΒΕͨΑ͏ʹݟ͑Δ w DMPOF ͷΓΛͬͯXBJUQJE Ͱͭ͜ͱ ͕Ͱ͖Δ
DMPOF $-0/&@/&8654 VUTOBNFTQBDF $-0/&@/&81*% QJEOBNFDQBDF $-0/&@/&8/4 NOUOBNFTQBDF $-0/&@/&8/&5 OFUOBNFTQBDF
$-0/&@/&8*1$ JQDOBNFTQBDF $-0/&@/&864&3 VTFSOBNFTQBDF DMPOF Ͱ༻͢ΔϑϥάTDIFEIΛJODMVEFͯ͠༻Ͱ͖Δ͕ɺ $-0/&@/&864&3@(/6@4063$&ΛEFpOF͢Δඞཁ͋Γ
VOTIBSF w ࣗΛϓϩηεͷ໊લۭ͔ؒΒͤ͞Δ w QJEOBNFTQBDFͰ͖ͳ͍ w Ұ࣌ظαϙʔτ͞Ε͍͕͔ͯͨΒର֎ʹͳͬͨ w QJEOT%POUIBWFVOTIBSF
$-0/&@/&81*% JNQMZ $-0/&@5)3&"% w IUUQTHJUIVCDPNUPSWBMETMJOVYDPNNJU FDFCECGDCGEEF w VOTIBSF ͷ߹ΤϥʔʹͳΒͳ͍͕Կ͓͖ͳ͍
TFUOT w طଘͷ໊લۭؒʹࣗΛࢀՃͤ͞Δ w DMPOF ɺVOTIBSF ͷ໊લۭ͔ؒΒͯ͠৽نͷ
໊લۭؒΛ࣋ͭΑ͏ʹͳΔ w ໊લۭؒͷࢀՃʹରͷ໊લۭؒͷϑΝΠϧσΟεΫϦϓ λΛ༻͢Δ w ผͷQJEOBNFTQBDFʹࢀՃ͢Δ߹ɺϓϩηεࣗͷQJE มΘΒͳ͍ w ࢠϓϩηε͔ΒQJE͕มΘΔ
LFSOFM JNQMFNFOUBUJPO
LFSOFMOTQSPYZD w OBNFTQBDFڞ௨ͷॲཧΛߦ͏ w OBNFTQBDFͷ࡞ɺίϐʔͳͲ w ݸʑͷOBNFTQBDFʹ͍ͭͯͦΕͧΕ͕࣮ࢪ
LFSOFMOTQSPYZD w લεϥΠυͰOBNFTQBDFڞ௨ͱઆ໌͚ͨ͠Ͳ w VTFSOBNFTQBDFѻ͍ͬͯͳ͍ w VTFSOBNFTQBDFDSFEDݸʑͷ OBNFTQBDF͕ཧ
TUSVDUOTQSPYZ w ֤OBNFTQBDFͷσʔλΛอ࣋͢Δߏମ ! struct nsproxy { atomic_t count; struct
uts_namespace *uts_ns; struct ipc_namespace *ipc_ns; struct mnt_namespace *mnt_ns; struct pid_namespace *pid_ns_for_children; struct net *net_ns; }; wVTFSOBNFTQBDFTUSVDUDSFEʹͯཧ wTUSVDUUBTL@TUSVDUͷSFBM@DSFBE͔ΒVTFSOBNFTQBDFΛࢀর
DPNNPOOBNFTQBDF TUSVDUVSF w ֤OBNFTQBDFҎԼͷมΛඞͣ࣋ͭ w ࢀরΧϯλ w QSPDGTͷJOPEF൪߸ w VTFSOBNFTQBDF
w VTFSOBNFTQBDFͷ߹ϓϩηεͷϙΠϯλ
JOJU@OTQSPYZ w ࠷ॳͷϓϩηεʹઃఆ͞ΕΔOTQSPYZߏମ w ͜ΕҎ߱GPSLܥؔͷݺͼग़࣌͠ʹ͜ͷߏ ମͷࢀরΧϯλΛΠϯΫϦϝϯτ w OBNFTQBDFΛ͚ͳ͍߹ɿʣ
TUSVDUOTQSPYZ w NPVOUOBNFTQBDFҎ֎Ϗϧυ࣌ʹઃఆ struct nsproxy init_nsproxy = { .count =
ATOMIC_INIT(1), .uts_ns = &init_uts_ns, #if defined(CONFIG_POSIX_MQUEUE) || defined(CONFIG_SYSVIPC) .ipc_ns = &init_ipc_ns, #endif .mnt_ns = NULL, .pid_ns_for_children = &init_pid_ns, #ifdef CONFIG_NET .net_ns = &init_net, #endif };
*OJUJBMJ[FNOU@OT wJOJU@NPVOU@USFF ͔Β͕࣮ࡍͷॲཧ start_kernel() @init/main.c --> vfs_caches_init() @fs/dcache.c --> mnt_init()
@fs/namespace.c --> init_mount_tree() @fs/namespace.c --> create_mnt_ns() @fs/namespace.c
*OJUJBMJ[FVTFS@OT w VTFS@OTTUSVDUDSFEͷσʔλॳظԽ࣌ʹઃఆ struct cred init_cred = { .usage =
ATOMIC_INIT(4), ~ུ~ .cap_bset = CAP_FULL_SET, .user = INIT_USER, .user_ns = &init_user_ns,
DPQZ@OBNFTQBDF w JOUDPQZ@OBNFTQBDFT VOTJHOFEMPOHqBHT TUSVDU UBTL@TUSVDU UTL w DPQZ@QSPDFTT
ΑΓݺΕΔ w qBHʹ$-0/&@/&8999͕ηοτ͞Ε͍ͯͳ͚ΕΧ ϨϯτϓϩηεͷOTQSPYZߏମͷࢀরΧϯλΛ w ͦ͏Ͱͳ͚ΕDSFBUF@OFX@OBNFTQBDF Ͱ֘͢Δ OBNFTQBDFΛ࡞͢Δ
TXJUDI@UBTL@OBNFTQBDF w WPJETXJUDI@UBTL@OBNFTQBDFT TUSVDU UBTL@TUSVDU UTL TUSVDUOTQSPYZ OFX w
ΧϨϯτϓϩηεͷ໊લۭؒΓସ͑Λߦ͏ w VOTIBSF Ͱ༻ w ϓϩηεͷFYJU ࣌ʹ༻ w Γସ͑ઌͷOBNFTQBDFʹ/6--Λઃఆ
TXJUDI@UBTL@OBNFTQBDF w OBNFTQBDFΛΓସ͑ͨ݁ՌɺΓସ͑લͷ OBNFTQBDFΛࢀর͢Δϓϩηε͕͍ͳ͘ͳͬͨ ߹ w GSFF@OTQSPYZ ΛݺΜͰOBNFTQBDFΛղ์
GSFF@OTQSPYZ w WPJEGSFF@OTQSPYZ TUSVDUOTQSPYZ OT w OBNFTQBDFͷղ์ w ֤OBNFTQBDFͷࢀরΧϯλΛσΫϦϝϯτ
w OTQSPYZߏମͷΠϯελϯεղ์ w ௨ৗϓϩηεͷFYJU࣌ʹ࣮ߦ͞ΕΔ
VOTIBSF@OTQSPYZ@OBNFTQBDF w JOUVOTIBSF@OTQSPYZ@OBNFTQBDFT VOTJHOFE MPOHVOTIBSF@qBHT TUSVDUOTQSPYZ OFX@OTQ TUSVDUDSFE OFX@DSFE TUSVDU
GT@TUSVDU OFX@GT w VOTIBSF ͷ࣮ߦ࣌ʹݺΕΔ w DSFBUF@OFX@OBNFTQBDF Ͱ໊લۭؒΛ৽نʹ ࡞
QSPDGTPQFSBUJPOT w OBNBTQBDFQSPDGTͰදݱ͞ΕΔͷͰ͜ΕΒΛૢ࡞͢Δؔ Λొ w TFUOT ͕͏ͷ͕͜ΕΒ w ֤OBNFTQBDFຖʹొ
struct proc_ns_operations { const char *name; int type; void *(*get)(struct task_struct *task); void (*put)(void *ns); int (*install)(struct nsproxy *nsproxy, void *ns); unsigned int (*inum)(void *ns); };
QSPDGTPQFSBUJPOT w HFU w ରOBNFTQBDFͷࢀরΧϯλΛ w QVU
w ରOBNFTQBDFͷࢀরΧϯλΛ w JOTUBMM w ݱࡏͷOBNFTQBDFͷࢀরΧϯλΛ͠ɺ৽͍͠OBNFTQBDFΛOTQSPYZߏ ମʹηοτ w JOVN w OBNFTQBDFͷJOPEF൪߸Λฦ͢
DMPOF w OBNFTQBDFͷૢ࡞ͱݴͬͯDMPOF ݻ༗ͰԿ͔͕͋ΔΘ ͚Ͱແ͍ w DPQZ@QSPDFTT ͔ΒҎԼͷؔΛݺͿ w DPQZ@DSFET
w VTFS@OTͷίϐʔ৽ن࡞ w DPQZ@OBNFTQBDF w طଘͷ֤OBNFTQBDFͷίϐʔ৽ن࡞
TFUOT ೖΓ͍ͨOBNFTQBDFͷpMFߏମ͔ΒJOPEFΛऔಘ͠ɺ֘ OBNFTQBDFͷQSPD@OT@PQFSBUJPOTߏମऔಘ DSFBUF@OFX@OBNFTQBDF ͰOTQSPYZͷ࡞ w ɹqBHTʹΛ͢ͷͰطଘͷOBNFTQBDFͷࢀরΧϯλ ͕૿͑Δ͚ͩ QSPD@OT@PQFSBUJPOTߏମͷJOTUBMM ΛݺΜͰOTQSPYZʹର
ͷOBNFTQBDFΛઃఆ TXJUDI@UBTL@OBNFTQBDFT ͰOBNFTQBDFͷΓସ͑Λ࣮ࢪ
VOTIBSF VOTIBSF͢ΔOBNFTQBDFͷऔಘ ϑΝΠϧγεςϜͷVOTIBSF DVSSFOUλεΫͷGT@TUSVDUߏମ͕ίϐʔ͞ΕΔ ϑΝΠϧσΟεΫϦϓλͷίϐʔ w ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλΛEVQ@GE Ͱίϐʔ VTFSOBNFTQBDFͷ w
$-0/&@/&864&3͕ηοτ͞Ε͍ͯͳ͚ΕԿ͠ͳ͍
VOTIBSF ! VOTIBSF@OTQSPYZ@OBNFTQBDFT ͰͦͷଞOBNFTQBDFͷ w ࣮ࡍͷॲཧDSFBUF@OFX@OBNFTQBDFT Ͱ࣮ࢪ ্ه·Ͱͷૢ࡞ͰԿ͔͠Β࣮ߦ͕ߦΘΕͨ߹ҎԼͷॲཧΛ࣮ࢪ w OBNFQBDF
OTQSPYZ ͷมߋ͕͋ͬͨ߹TXJUDI@UBTL@OBNFTQBDFT Ͱ Γସ͑ w GT@TUSVDUΛίϐʔͨ͠߹DVSSFOUλεΫͷGT@TUSVDUߏମΓସ͑ ɹϑΝΠϧσΟεΫϦϓλΛίϐʔͨ͠߹DVSSFOUλεΫͷϑΝΠϧσΟεΫϦ ϓλΓସ͑ ɹVTFS@OTͷVOTIBSFΛͨ͠߹TUSVDUDSFEͷΓସ͑
/BNFTQBDF&YBNQMF w /BNFTQBDFػೳͰͲͷΑ͏ʹมΘ͔ͬͨ
HFUQJE w UBTL@TUSVDUߏମͷϝϯόม QJE Λͦͷ·· ฦ٫Մೳ #define getpid() (current->pid)
HFUQJE wϓϩηε͕ॴଐ͍ͯ͠ΔQJEOBNFTQBDFͷQJEΛ ฦ͢ඞཁ͕͋Δ getpid() -> task_tgid_vnr() -> task_tgid() ->
pid_vnr() -> task_active_pid_ns() -> task_pid() -> ns_of_pid() -> pid_nr_ns()
DIPXO static int chown_common(struct dentry * dentry, uid_t user,
gid_t group) { ~தུʙ if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) group = inode->i_gid; newattrs.ia_mode = inode->i_mode; newattrs.ia_uid = user; newattrs.ia_gid = group;
DIPXO static int chown_common(struct path *path, uid_t user, gid_t
group) { ~தུʙ uid = make_kuid(current_user_ns(), user); gid = make_kgid(current_user_ns(), group); ! newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { if (!uid_valid(uid)) return -EINVAL; newattrs.ia_valid |= ATTR_UID; newattrs.ia_uid = uid; } if (group != (gid_t) -1) { if (!gid_valid(gid)) return -EINVAL; newattrs.ia_valid |= ATTR_GID; newattrs.ia_gid = gid; }
3FGFSFODF w -9$ͰֶͿίϯςφೖʵܰྔԾԽڥΛ࣮ݱ͢Δٕज़ w IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST w /BNFTQBDFTJO0QFSBUJPOTFSJFT w IUUQMXOOFU"SUJDMFTTFSJFT@JOEFY w
1SPGFTTJPOBM-JOVY,FSOFM"SDIJUFDUVSF w IUUQXXXBNB[PODPKQEQ#5*$;