Namespaces

[00:00:00]
>> Brian Holt: Hopefully you found change root pretty straightforward. Namespaces and cgroups, we're gonna step up a little bit in level of difficulty here. And I'm also gonna be a bit more surface level, because there's a lot of depth here. But we'll start with namespaces. Namespaces have been around forever.

[00:00:19]
It's kind of a core concept of how Linux, in the kernel, is just built, kind of in general.
>> Brian Holt: But let's start with an example, because I think that's gonna be the easiest way for me to illustrate this. But the gist here is it's for security and resource management.

[00:00:36]
That's what namespaces are all about.
>> Brian Holt: So let's say that you buy a server and you put it in your basement and you're gonna start selling it to customers, right? You're gonna start running containers or VMs or something in your basement as a way to make some money on the side.

[00:00:52]
What sort of concerns would you have about running untrusted code, right? Because you're gonna have random people connecting to your servers that you don't know personally. They're going to be uploading stuff that you don't know what it does, and they're gonna be running it. What are your concerns about untrusted code?

[00:01:09]
So let's make an example. You have Alice and Bob, who are both running e-commerce.services that deal with money. And let's say just they're generally good people minding their own business, they're just interested in running their businesses. But then you have Eve, who joins your server that has other intentions.

[00:01:31]
She wants to steal the money, source code, or just whatever nefarious money-making scheme that Eve can get up to. If you give all three of them unfettered root access, you're gonna have some problems because Eve is gonna be able to run over them. So the first thing you do, obviously, is you're gonna say, all right, here's your jailed process, here's your jailed process, and here's your jailed process.

[00:01:54]
That solves your stealing files kind of security vulnerability. Cool, but is your problem solved yet? No.
>> Brian Holt: Despite the fact that Eve can't actually get to the file, she can actually still see the processes, right? So if you go and you run, I'll just show you right here.

[00:02:19]
If I run ps aux.
>> Brian Holt: I can see this bash is running, and then I can also see the process observing itself, ps-aux right here. But if I had a change-rooted environment, I would be able to see everything running in that change-rooted environment. And if I had three of them and they're all running their own processes, they can all see each other's processes.

[00:02:43]
It seems kinda like a problem, right? Cuz now you can just go in there and say, well, at the very least, I can cause some chaos and she can just start killing processes. It seems kind of problematic, right?
>> Brian Holt: She can unmount file systems, and probably even the most dangerous thing is she can start hijacking processes, right?

[00:03:02]
She can start moving processes out of your subtree and into her subtree. She can dump memory. She can do a bunch of stuff like that. Namespaces allow you to hide processes from other processes. So now, I can give you a change-rooted environment, but I can give every one of them their own set of namespace.

[00:03:22]
So they have their own set of processes, they get their own numbers, they get their own everything. So they can't even just guess each other's processes' numbers. They actually are physically separated systems so that she can't actually even just hijack them that way. This is just part of what namespaces can do.

[00:03:40]
But it's probably the most salient detail in what we're talking about here. But namespace handle a lot of things.
>> Brian Holt: Yeah, so what I described here is basically just the UTS system, which is called the UNIX time-sharing namespace. And we'll talk a bit more about some of the other namespaces later, but for now, let's just focus on that.

[00:04:01]
So I'm gonna go back in here into my jailed process,
>> Brian Holt: By doing that. Okay, so I'm in my jailed process. I'm gonna open another tab here. So you can see, I have two tabs open. And then I'm gonna run this command here, docker exec -it docker-host bash.

[00:04:24]
This is going to allow me to connect to the same container.
>> Brian Holt: Right, cuz we called it docker-host. In fact, I'll even just show you.
>> Brian Holt: You can see I have docker-host running right here. It's been running for 23 minutes. I'm going to say docker exec docker-host bash, right?

[00:04:47]
And so now I have another instance of bash connected to the same container. So if I say docker ps here, or, not Docker ps, rather ps aux, you can see, I can actually see multiple instances of bash running. I can see the other processes running here. So I'm the admin, that's probably okay that I can see the other processes running.

[00:05:14]
But if you can imagine if I have another person that comes in here and another jail process, they can also see each other's processes, which is a problem.
>> Brian Holt: Okay, and just to kind of demonstrate that for you, I'm gonna run this process here. So this is my jailed process here.

[00:05:37]
I'm gonna run this. All this does is this just runs this command perpetually, it doesn't really matter what it does. And now, if I come over here, God, force of habit, ps aux. Do that, cuz I don't have tail in here. Well, I can do it the other way around.

[00:06:01]
So I can do that here.
>> Brian Holt: And is this gonna work from here? No, but if I do here, you can see here that I can see the tail running in my other process, right? So every instance the bash can see each other. It would work from within the jailed process as well,, but we don't have ps in there, right, and we don't have tail in there.

[00:06:22]
So that's why that's not working at the moment. But I'll show you that here in just a second.
>> Brian Holt: So we can actually even get a little bit more nefarious than this, right? So this is still running the process, right?
>> Brian Holt: And if I go grab this PID right here, 91, which is the process ID, and if I say kill -9 91.

[00:06:53]
>> Brian Holt: You can see here it was killed from the other process, right? This is the danger that we're kind of talking about, that if you have multiple people connect to the same thing, and they can see each other's process trees, they can start messing with each other. Let's introduce some safety here then with unshare.

[00:07:14]
>> Brian Holt: Unshare is going to allow us to be able to separate processes and their namespaces from each other.
>> Brian Holt: Okay, so what I'm gonna do here, I have a bunch of setup instructions here for you. This is gonna install, basically, a very minimal copy of Debian. The one,
>> Brian Holt: Warning I'm gonna give you is that this will install about 150 megabytes and it is not cached.

[00:07:51]
So if you do it again, it's gonna do it 150 megabytes again, right? So every time that you run this command right here, the debootstrap one, be aware that you're installing 150 megs of stuff. Okay, so we're gonna run that apt-get update.
>> Brian Holt: Okay, that worked. apt-get install deboostrap -y,
>> Brian Holt: I didn't spell that right, debootstrap.

[00:08:33]
>> Brian Holt: Debootstrap is just a tool to install minimal copy of Debian, that's what it does. Okay, I'm gonna say debootstrap -- variant=minbase. If you don't do this, you'll install a full copy, which is even bigger. We're gonna do jammy, and we're gonna put it into /better-root instead of my new root.

[00:09:02]
Okay, so I'm gonna get that running. It'll take, I'll say, a couple minutes, but it takes probably 90 seconds, I'm gonna guess. So while that's running, we'll talk about what we're gonna do here. unshare, right, so this is basically, I'm gonna create a new process. And inside that process, I want you to create new namespaces for uts, that's what we were just talking about, UNIX time-sharing, network, process IDs, process forkings, user space, all that kinda stuff.

[00:09:41]
And then It inside of that unshared environment, we also want to change root into my better-root, which is going to be basically a new copy of Linux for us. And then I want you to run bash inside of it. And then these three commands here are basically just saying, hey, Linux, mount this for me, which is basically saying, there's a system created for you, please use it for me.

[00:10:04]
>> Brian Holt: Okay, so now, if you look inside of better-root, you'll see that it looks almost identical to what's out here, because we just created a new copy of Linux essentially. And then I'm going to run this.
>> Brian Holt: And you can see here, it looks really similar, right? And it's because, now, we're basically in a full copy of Linux inside of our copy of Linux, which is now inside of macOS for me, right?

[00:10:34]
We're going down, this tunnel's all the way down, okay? And we're gonna mount all of these systems. So just copy and paste all of these. Let's see, sorry,
>> Brian Holt: That one, that one, and that one.
>> Brian Holt: All right, so now we are in a fully unshared environment. So let's go ahead and run our little process here again, this tail.

[00:11:17]
>> Brian Holt: We're gonna run this from the host operating system. So again, my first tab here up to the top, this is inside of my unshared environment. And the second one, remember, is not in the unshared environment. It's in the host computer. So if I run this, okay, so this is now running.

[00:11:37]
And I say ps aux, notice that this can't see above itself, right? It can't see what the parent is doing. It's now wholly unaware of both its processes and its file system of what's above it.
>> Brian Holt: I don't know, I think that's pretty impressive. I think it's pretty cool, right?

[00:11:59]
We've now fully jailed and namespaced this off, so that no matter who's creating apps on your server, no matter how nefarious Eve is, she can't see the processes, she can't see the files, she can't hijack processes, she can't kill stuff. This all has become impossible to her because we've kind of sectioned off, or one could say, contained, right, this process.

[00:12:29]
Pretty cool, right? So, this is the PID right here, 8269. If I try and come in here and say, kill -9, that PID is gonna be like, I don't know what that is, right? Because this one doesn't have the process ID of 8269, only this one does.
>> Brian Holt: Pretty sure.

[00:13:02]
>> Brian Holt: Oop, how many times am I gonna do that today? Yeah, 8269 right there. So I could do it from here, right, cuz this is not an unshared environment, but this one can't do it. It can't see it because it's now been contained. This first tab that I have up here, it's inside of basically the handcrafted container, right?

[00:13:27]
So you can see this command right here, this unshare one. It's been change rooted, right? So that's why it can't see any of the file system above it. And this unshare part of it has contained all of its namespaces, right? So you can see we've isolated its mount, UTS, IPC, all of those, so that this one is now isolated, and it wouldn't be able to see other contained processes on its host, whereas this one can, cuz this is the host computer, right?

[00:13:59]
The host can see into what the children processes are, right? When I did this for the first time, it was what I got really excited to teach this course, it's like, my God, this is so. It's understandable, cuz it's very tangible, right? You can actually kinda watch all of this stuff happen, which I think is really cool.