Last active
January 31, 2026 09:13
-
-
Save madushadhanushka/96c39c78e69e38819f6cbd397761a17c to your computer and use it in GitHub Desktop.
Container namespaces and cgroups
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################# UTS NAMESPACE ############################# | |
| # Demonstrates hostname isolation using UTS namespace | |
| sudo su # Switch to root | |
| hostname # Show current hostname | |
| unshare --uts /bin/sh # Create new UTS namespace | |
| hostname my-new-hostname # Change hostname inside UTS namespace | |
| hostname # Verify hostname change inside namespace | |
| exit # Exit UTS namespace | |
| hostname # Host hostname remains unchanged | |
| ############################# PID NAMESPACE ############################# | |
| # Demonstrates process isolation and PID hierarchy | |
| ps aux # List all processes on host | |
| sleep 1000 & # Start a background process | |
| sudo unshare --pid --fork /bin/sh # Create new PID namespace | |
| ps aux # Shows limited processes (PID namespace view) | |
| kill -9 <PID of sleep 1000> # Cannot kill host process from container | |
| sleep 2000 & # Start process in new PID namespace | |
| pstree # View process tree | |
| unshare --pid --fork /bin/sh # Nested PID namespace | |
| sleep 3000 & # Another background process | |
| pstree # View tree from inside namespace | |
| pstree -p # Show full PID tree with process IDs | |
| ############################# CHROOT ############################# | |
| # Demonstrates filesystem isolation using chroot | |
| sudo su | |
| mkdir rootfs # Create root filesystem directory | |
| curl -L --progress-bar \ | |
| http://dl-cdn.alpinelinux.org/alpine/v3.9/releases/x86_64/alpine-minirootfs-3.9.0-x86_64.tar.gz \ | |
| -o alpine.tar.gz # Download Alpine Linux minirootfs | |
| sudo tar -xzf /home/dhanushka/lecture/alpine.tar.gz -C rootfs | |
| # Extract Alpine filesystem | |
| sudo unshare --pid --fork chroot rootfs /bin/sh | |
| # Enter chroot with PID namespace | |
| ls # List root filesystem contents | |
| ps aux # Fails because /proc is not mounted | |
| mount -t proc proc /proc # Mount proc filesystem | |
| sleep 1000 & # Start a process | |
| ps aux # ps works now | |
| ls /proc/<PID of sleep> # Inspect process directory | |
| kill -9 <PID> # Kill the process | |
| ############################# MOUNT NAMESPACE ############################# | |
| # Demonstrates mount isolation and mount propagation | |
| unshare /bin/sh # No mount namespace isolation | |
| mkdir source | |
| touch source/hello | |
| mkdir target | |
| sudo mount --bind source target | |
| ls target # source is mounted into target | |
| exit # Exit namespace (no isolation) | |
| ls target # Mount still visible on host | |
| umount target # Cleanup mount | |
| ------------------ | |
| unshare --mount /bin/sh # Create isolated mount namespace | |
| mount --bind source target | |
| ls target # Mount visible only inside namespace | |
| exit # Exit mount namespace | |
| ls target # Mount no longer visible | |
| ############################# USER NAMESPACE ############################# | |
| # Demonstrates user privilege isolation | |
| unshare /bin/sh | |
| id # Runs as unprivileged user | |
| sudo unshare /bin/sh | |
| id # Runs as root (no user namespace) | |
| unshare --user /bin/sh | |
| id # Appears as nobody user | |
| ############################# NETWORK NAMESPACE ############################# | |
| # Demonstrates network isolation and virtual Ethernet pairs | |
| ip a # Show current network interfaces | |
| ip link # Show link-layer devices | |
| unshare /bin/sh | |
| ip a # Same network as host | |
| ip link # No new interfaces | |
| sudo unshare --net /bin/sh | |
| ip a # Only loopback interface | |
| echo $$ # Get current PID (network namespace ID) | |
| sudo ip link add ve1 netns <current PID> type veth peer name ve2 netns 1 | |
| # Create veth pair between container and host | |
| ip link # Verify ve1 exists | |
| ip link set ve1 up # Bring up container-side interface | |
| # open new host terminal | |
| sudo ip link set ve2 up # Bring up host-side interface | |
| # in container | |
| ip addr add 192.168.1.100/24 dev ve1 | |
| ip a # Verify IP assignment | |
| ip route # Show routing table | |
| # in host | |
| sudo ip addr add 192.168.1.200/24 dev ve2 | |
| ip a # Verify IP assignment | |
| ip route # Show routing table | |
| # in container | |
| ping 192.168.1.200 # Ping host | |
| # in host | |
| ping 192.168.1.100 # Ping container | |
| sudo ip link delete ve2 # Delete veth pair | |
| ############################# IPC NAMESPACE ############################# | |
| # Demonstrates IPC resource isolation | |
| ipcs # List IPC objects | |
| ipcmk -M 10 # Create shared memory segment | |
| ipcs # IPC now visible | |
| unshare /bin/sh | |
| ipcs # IPC still visible (no isolation) | |
| unshare --ipc /bin/sh | |
| ipcs # IPC namespace is isolated (empty) | |
| # in host | |
| ipcrm -M <Queue key> # Remove shared memory | |
| ############################# CGROUPS (PID CONTROLLER) ############################# | |
| # Demonstrates process count limitation using cgroups | |
| cd /sys/fs/cgroup/pids | |
| sudo mkdir test | |
| ls test | |
| sudo unshare --pid --fork /bin/sh | |
| sleep 5000 & | |
| sleep 5000 & | |
| # host | |
| cd /sys/fs/cgroup/pids/test | |
| pstree -p # Identify parent PID | |
| pstree <pid> -p # Expand tree if needed | |
| echo 3 | sudo tee pids.max # Limit to max 3 processes | |
| echo "<parent pid>" | sudo tee cgroup.procs | |
| # Attach process to cgroup | |
| cat pids.current # Show current process count | |
| # guest | |
| sleep 5000 & | |
| sleep 5000 & # This will fail due to PID limit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment