Nsenter is o tool to enter the namespaces of one or more other processes and then executes the specified program. After the basics I would like to present the power of the tool in a live demo session.
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
I wanna talk about nsenter
1. I wanna talk about nsenter
run program with
of other processes
—
Docker Budapest 2019 BackToSchool Edition
Sept 11, 2019
2. About me
Richard Kovacs a.k.a. mhmxs
Hup.hu member since 13 years and 21 weeks
• First Linux distro: Debian 2.2
Professional Earning money with coding since 2005
• Mostly Java, Go, Javascript and Bash
Started using Docker in production at 2015
• Automated Hadoop clusters on 1.6.0
Currently Kubernetes network engineer @ IBM IKS
kovacsricsi[at]gmail @mhmxs
3. Agenda
–A bit about namespaces
–What the heck is nsenter
• “Mi a fene ez a szörnyeteg?” by translate
–Live demo
5. A bit about namespaces
Namespaces are an isolation feature in the Linux
kernel to separate processes from each other and
the main system.
Isolation increases security by design and allows
other tricks to share things between processes.
Linux init system runs in default namespaces.
For more info visit the regarding wiki page or the
official Docker docs.
6. A bit about namespaces
“Docker uses a technology called namespaces to
provide the isolated workspace called the container.
When you run a container, Docker creates a set of
namespaces for that container.”
“Each aspect of a container runs in a separate
namespace and its access is limited to that
namespace.”
Docker Engine uses namespaces such as the
following on Linux:
• PID: Process ID
• NET: Networking
• IPC: InterProcess Communication
• MNT: Mount
• UTS: Unix Timesharing System
8. What the heck is nsenter
Nsenter - run program with namespaces of other
processes.
Enters the namespaces of one or more other
processes and then executes the specified program.
If program is not given, then ${SHELL} is run.
8
It enters only into the selected namespaces:
• Ignore cgroup - avoid resource limitations
• Ignore pid - our process doesn’t appear in
container, not like `docker exec`
Nsenter does not drop capabilities; so the shell
started by it can do more stuff than a regular
process running within the container.
10. So long
and thanks for all the questions
https://en.wikipedia.org
/wiki/Cgroups
http://man7.org/linux/m
an-
pages/man2/setns.2.ht
ml
http://man7.org/linux/m
an-
pages/man1/nsenter.1.
html