We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Linux Namespaces for Fun and Isolation - Martin Ertsås - NDC Security 2024
Explore Linux Namespaces for Fun and Isolation with Martin Ertsås at NDC Security 2024, covering PID, user, IPC, network, and time namespaces for testing, simulation, and more.
- CAPIS admin privileges are required to create namespaces.
- The speaker recommends not sharing objects between namespaces, as permission checks will still apply.
- Cross-namespace communication can be established using IPC, message queues, and socket pairs.
- Namespaces provide isolation, allowing for testing and simulation of various scenarios.
-
The speaker uses
unshare
andclone
to create and enter namespaces. - The PID namespace is used to isolate processes and their view of the system.
- The user namespace is used to isolate users and groups, managing permissions and capabilities.
- The IPC namespace is used to isolate process communication and message queues.
- The network namespace is used to isolate network interfaces, routing tables, and IP addresses.
- The time namespace is used to isolate the system clock and time tracking.
-
The speaker uses various tools and techniques to demonstrate the use of namespaces, including
pivot_root
,setns
, andclone_new_time
. - The speaker warns against using namespaces without a good understanding of how they work, as they can be complex and have unintended consequences.
- Some Linux distributions may have namespaces enabled by default, and the speaker suggests testing the ramifications of using them.
- Namespaces are used in various areas, including containerization, sandboxing, and testing.