Namespaces & C-groups in a Nutshell!

Ahson Shaikh
5 min readApr 5, 2023

--

Linux, Linux, Linux!

Originals

Whether you’re aspiring to be a Dev-Ops Engineer or simply want to expand your knowledge of Linux, you’ve undoubtedly stumbled upon the powerhouse that is this Operating System. And let me tell you, once you gain a solid understanding of its core foundations, Linux can be an absolute joy to use! With the right guidance and resources at your disposal, Linux has the potential to revolutionize your career as a Dev-Ops Engineer, making your tasks smoother and your accomplishments more significant. So, why not take the plunge and explore the endless possibilities that await you in the world of Linux?

Get ready to take your understanding of Linux to the next level! In this article, we’ll be diving into two incredibly powerful features of this Operating System: Namespaces and C-groups. Even though they may not be as prevalent in today’s dockerized world, they’re still highly valuable tools to have in your arsenal. By mastering these concepts, you’ll be equipped with the knowledge and skills necessary to advance your career and become a true Linux expert. We’ll also provide you with real-world examples to help you gain a clear understanding of how these features can benefit you in the long run. So, let’s dive right in and uncover the hidden gems that lie within the world of Namespaces and C-groups!

Let’s understand What is the namespace, assuming that I’m teaching to novices and people who have no strong background with Linux.

1 — Namespace

In the world of Linux, a Namespace is a special type of room that’s made just for programs or applications to run in. Each Namespace has its own set of resources, like memory and processing power, that are separate from other programs running on the computer. This way, different programs can run at the same time without getting in each other’s way.

Think of it like having your own special playroom with all your toys and games, while your brother or sister has their own playroom with their toys and games. You can both play at the same time without fighting over the same toys because you each have your own space to play in.

In the same way, different programs can have their own Namespace to run in, so they don’t interfere with each other. And just like how you can go visit your sibling’s playroom if you want to play with their toys, programs can also access resources from other Namespaces if needed.

There are different types of namespaces that provide isolation in different areas, like the file system, networking, process ID, and user/group IDs. By using namespaces, processes can be kept separate and not interfere with each other, which can help with security and manageability.

For example, imagine you have multiple people sharing a computer. If one person opens a file on the computer, you wouldn’t want another person accidentally deleting or modifying that file. By using namespaces, each person could have their own isolated view of the file system, so they can only access their own files and not interfere with others.

So, that’s what a Namespace is! A special room that’s made just for certain programs to run in, to keep everything organized and running smoothly.

One of the key concepts that makes Docker’s containerization possible is Namespace. Just like Linux, Docker uses Namespace to create separate rooms, or environments, for different containers. This allows multiple applications to run on the same computer without interfering with each other.

2 — C-Groups

In a nutshell, C-Groups enable administrators to group processes together and set resource limits for each group. This allows for more efficient resource management, preventing one process from hogging resources at the expense of others.

C-Groups can be used to limit the amount of CPU time, memory, network bandwidth, and disk I/O that a group of processes can use. This is especially useful in multi-tenant environments, where multiple users or applications share the same system resources.

For example, let’s say you’re running a web server on a machine, and you want to make sure that it doesn’t use up all of the available memory. With C-Groups, you can set a limit on the amount of memory that the web server process can use, ensuring that other processes have access to the remaining memory.

Let’s get done with the explanation and reading! Let’s start doing.

Before, going any further, I want you to note down few commands that are going to be very useful for you.

  1. unshare: This command is used to create a new namespace for a given process, allowing it to run in an isolated environment.
  2. ip netns: This command can be used to manage network namespaces. For example, you can use it to create a new network namespace, list existing namespaces, or delete a namespace.
  3. mount: This command can be used to mount a file system in a namespace. You can use it to mount a different file system for each namespace, allowing processes to access different data based on the namespace they are running in.
  4. lsns: This command can be used to list all the namespaces that are currently running on the system. This includes network namespaces, mount namespaces, user namespaces, and more.
  5. setns: This command can be used to switch between different namespaces. For example, you can use it to switch to a different network namespace in order to run a command in an isolated network environment.
  6. ip netns exec: This command can be used to run a command in a specific network namespace. For example, you can use it to run a command in a network namespace that you have created.
  7. ps: This command can be used to list all the processes that are currently running on the system, including the namespace that each process is running in.

Additionally, you should use the below command to list down namespaces by their types.

lsns -t pid
# lsns -t(type of namespace) pid
# CHECK MORE TYPES WITH "lsns --help"

TASK-1(NAMESPACE):

Create a new PID namespace and launch a process inside it. Then, use the “ps” command from the host namespace to verify that the process is only visible within the new namespace.

Let’s break this into pieces!

  1. Create a new PID namespace:
unshare -mipf

Flags: -m creates a new mount namespace - i creates a new IPC namespace - p creates a new PID namespace - f tells unshare to fork after creating the new namespaces and before starting Bash

2. Check the current PID now:

echo $$

OUTPUT: 1

Now, you are running a separate namespace with current PID (1) — And you can further verify the current namespace is not visible to outside by “ps -ef” — root user is an exception.

This was a very simple challenge to do, there are a lot to dive into when it comes to practice. We will be adding more challenges as we will dig deeper in future.

Thanks for reading ❤

--

--

Ahson Shaikh

DevOps Engineer with 4 years of experience in cloud and on-premises environments, specializing in Python automation with Selenium, currently working at Arpatech