Use of Cgroup and namespace in testing (bottom)

The use of Cgroup and namespace in testing (under) namespace introduction

The use of namespace, also called namespaces, allows each process group to have independent PID, IPC, and network space, which means that these system resources are no longer global, but belong to a specific namespace, The resources inside each namespace are transparent to the other namespace, thus achieving the isolation effect of the resource.

The current types of namespace are as follows

Classification system call Parameters Mount Namespaces clone_newnsuts Namespaces CLONE_NEWUTSIPC Namespaces Clone_newipcpid Namespaces CLONE_ Newpidnetwork Namespaces Clone_newnetuser Namespaces Clone_newuser

You can see which namespace your system supports.

# Ls-lai/proc/1/nsTotal0418834 dr-x--x--x 2 root root 0 Jul : 1301 Dr-xr-xr-x 9 root root 0 Jul : 418853 lrwxrwxrwx 1 root root 0 Jul : IPC,ipc:[4026531839] 418856 lrwxrwxrwx 1 root root 0 Jul : mnt--mnt:[4026531840] 418851 lrwxrwxrwx 1 root root 0 Jul : Net-net:[4026531957] 418854 lrwxrwxrwx 1 root root 0 Jul : PID--pid:[4026531836] 418855 lrwxrwxrwx 1 root root 0 Jul : 402653183 User--user:[ 7] 418852 lrwxrwxrwx 1 root root 0 Jul : UTS,uts:[4026531838]

The functions of the

namespace are summarized as follows:

• IPC namespaces 
  The IPC objects created in an IPC namespace are visible to all processes within that namespace, but not to other namespaces. This makes it possible for processes between different namespaces to communicate directly, as in different systems.

• mnt namespaces 
  Mnt namespace is the processing mount point, which allows different containers to have different mounted file systems and root directories. The file system mounted on a MNT namespace can only be seen by the process in the same namespace.

• UTS namespaces 
  UTS namespace provides a host name and domain name isolation so that each container can have a separate host name and domain name. On the network can be considered as a separate node rather than a process on the host

• User namespaces 
  User namespace is the latest child user space It allows you to create a user independent of other namespace. This is achieved through the GID and UID mappings.

• pid namespaces 
  A PID namespace provides a separate PID environment for the process, the PID in the PID namespace starts at 1, and the fork is called within the namespace , vfork or clone will produce a separate PID within the namespace. The first process in the newly created namespace will have a PID of 1 within the namespace, just like the init process in a standalone system

• Network namespaces 
  Mainly provides the isolation of network resources, including network equipment, IPV4 and IPV6 protocol stack, IP routing table, firewall,/proc/net directory,/sys/class/net directory, port (socket) and so on. A physical network device is present in at most one net namespace, you can create Veth pair (virtual network device pair: There are two ends, like a pipeline, if the data is passed from one end to the other, and vice versa) at different network The channel is created between namespace to achieve the purpose of communication.

In general, because creating namespace needs to be implemented by calling system functions, such as creating a separate namespace process with the Clone function

int clone (int(*child_func) (void *), void *child_stack, int flags, void *arg);

So the use is not approachable, and the network namespaces can be configured through the command, and the use of more scenes, so the following details network namespaces

Network Namespaces Simple Combat

The command to add a network namespace is as follows

IP netnsAdd <network namespace name>

If you add a network namespace called Mltest,

# IP netns add mltest

Take a look

# IP Netns listMltest

You can also delete

# IP Netns Delete mltest

Now in this namespace to do the IP addr, found that a loopback device (loopback Interface:lo) has been created by default, the Operation command under Universal Net namespace isip netns exec [comand]

# IP netns exec mltest IP addr1:lo: <loopback> MTU 65536 qdisc noop State down group default Link/loopback: xx: xx: xx: xx: BRD xx: xx: xx: xx: 00

Here you create a network device pair, for a virtual device, for network communication between 2 namespace, you can see 2 more devices Veth0,veth1

# IP link Add veth0 type Veth peer name veth1# IP Link list1: lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 qdisc noqueue State UNKNOWN mode DEFAULT Group default Link/loopbackXX: (XX): xx: xx: brd xx : xx: xx:: XX 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU qdisc pfifo_fast State up mode DEFAULT group default qlen Link/etherXX:0C:£ º:BB:BRD ff:ff : FF: FF: FF:FF 3: veth1: <BROADCAST,MULTICAST> MTU qdisc noop State down mode default group default Qlen c16>1000 Link/ether: 1B:6D:c4:b2 BRD ff:FF:FF:FF:ff:ff 4: veth0: <BROADCAST,MULTICAST> MTU qdisc noop State down mode default group default Qlen c16>1000 Link/ether7e:da::d5:f8:bb BRD ff:FF:FF:FF:ff:ff

Then assign one of them to the namespace, and then have a virtual device under each of the 2 Namespache

Iplink set veth0 netns mltest # IP Link List1: lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 qdisc noqueue State UNKNOWN mode DEFAULT Group default Link/loopbackXX: (XX): xx: xx: brd xx : xx: xx:: XX 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU qdisc pfifo_fast State up mode DEFAULT group default qlen Link/etherXX:0C:£ º:BB:BRD ff:ff : FF: FF: FF:FF 3: veth1: <BROADCAST,MULTICAST> MTU qdisc noop State down mode default group default Qlen c16>1000 Link/ether: 1B:6D:c4:b2 BRD ff:FF:FF:FF:ff:ff
# IP netns exec mltest IP Link list1: lo: <LOOPBACK> MTU 65536 qdisc noop State down mode default group default Link/loopbackXX: (XX): xx: xx: brd xx : xx: xx:: XX 4: veth0: <BROADCAST,MULTICAST> MTU qdisc noop State down mode default group default Qlen c16>1000 Link/ether7e:da::d5:f8:bb BRD ff:FF:FF:FF:ff:ff

Assign IP to these 2 network devices with the ipconfig command

# IP netns exec mltest ifconfig veth0 10.1.10.1/24 up# ifconfig veth1 10.1.10.2/24 up

Then namespace mltest configuration is basically complete, in the case of the same service, in the namespace of the same port service will not be a problem
The same service can be built on every NIC

netstat-lan|grep 50007 Tcp0 0 192.168.231.131:50007 0.0.0.0:* LISTEN Tcp0 0 10.1.10.2:50007 0.0.0.0:* LISTEN # IP Netns exec mltest./tcp_server.py &[3] 19502

The same service can be created in namespace

# IP netns exec mltest netstat-lanActive Internet connections (servers and established)Proto recv-q send-q Local address Foreign address statetcp0 0 10.1.10.1:50007 0.0.0.0:* LISTEN

Native direct access without pressure, showing the veth0 accessed from veth1

# telnet 10.1.10.1 50007Trying10.1.1 ...Connected to10.1.1. Connected by (' 10.1.10.2 ', 43755)

However, there are only a couple of network devices configured here, multiple namespace to each other or able to access, need to use bridge or NAT, need additional configuration

Through the network isolation can solve such as single-machine simulation multi-computer deployment, multiple instances of the same port does not conflict such scenarios; Because of the isolation, the route and iptables configuration of a namespace does not affect other applications in the namespace, and it is also appropriate to do anomaly testing. Play a lot, have used to do single-ring test and OpenVPN multi-processing,
Someone from abroad has made a lightweight network simulator core based on net namespace.

Namespace reference

Ntroduction to Linux namespaces it's a great series.

Summarize

A rough introduction of the basic concepts and use of Cgroup and namespace, the use of a lot of scenes, this article is just a shot, I hope to be inspired

Use of Cgroup and namespace in testing (bottom)