jLuger.de - Owncloud in a container: container and namespaces

As docker became more and more popular I've started to get my hands on it. For that I've searched the web after documentation and examples. While on that I've came across the following presentation: Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon. It introduced me to the concept of namesapces and how they are used to separate conatainers from each other and the host system.

Namespaces aren't docker specific. They are part of the Linux kernel. They even have their own man pages. For an easy start read this Wikipedia article. I will focus on the following three namesacpes as they are the import one for my project:

User namespace: Allows to remapp your user id to another one. Your permissions won't change. E.g. you can get user id 0 (root id) but you won't be able to do anything that requries real root privileges.
PID namespace: Limits the visablity of other processes. A process in a PID namespace will only see the one in the same namespace while the host will see the process as well. So it basically hides information of the outside world.
Mount namespace: Allows mounts that are only visible in the new mount namespace. The outside (host) won't see the mounts.

To play around with namespaces there is a comman line utility named unshare.

For the user namespace call
user@server:~$ unshare -Unobody@@server:~$
The user is nobody because whe can't specify an id to which whe want to get mapped and this is a default.

To get root id call it like this:
user@server:~$ unshare -r root@server:~$Now take a look at the filesystem:root@server:~$ ls -l....drwxr-xr-x 2 root root 4096 Sep 19 19:45 Documents.... root@server:~$ ls -l /opt ....drwxr-xr-x 2 nobody nogroup 12288 Okt 13 23:08 bin.... Your files belong to root and the root files are mapped to nobody.

To check that your system isn't at risk see this:
root@server:~$ touch /bin/h touch: cannot touch '/bin/h': Permission denied

What will work is chroot.

The PID namespace is a bit trickier to play with.
user@server:~$ unshare -p unshare: unshare failed: Operation not permittedTo get it to start I also had to append the -f and -r option. Event than it didn't seem to be correctly as I still could see all other process. It took also the option --mount-proc to hide other processes.

user@server:~$ unshare -p -f --mount-proc -r
root@server:~# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  2.0  0.0  19980  4852 pts/2    S    23:15   0:00 -bash
root        16  0.0  0.0  38980  3036 pts/2    R+   23:15   0:00 ps aux

When you do a ps on another bash you will see the "-bash" command but it won't have PID 1 but another one.

As for the mount namespace: You pass option -m to unshare. But again you need to add the -r option.

user@server:~$ unshare -m
unshare: unshare failed: Operation not permitted
user@server:~$ unshare -r -m
root@server:~#

Now you can do mount binds and other suff I din't bother to take a closer look.
To mention the obvious: Without the mount namespace the mapped user root won't be able to do any mounts.

This post is part of a series: