`nsenter`
that allows you to switch to the namespace of another process. It took me considerable time to search it out today so thought to write a short blog about it.Now I have a Podman container (for docker just use
`docker`
command instead of `podman`
below). I started that container by:$ sudo podman run -t -a STDIN -a STDOUT -a STDERR --rm=true --entrypoint /bin/bash quay.io/example/image:version
And I've been running some testing on it but it turned out I want to increase limits without destroying my preparations if I exit the process. So first thing is to figure out pid namespace of my container:
$ sudo podman ps --ns
CONTAINER ID NAMES PID CGROUPNS IPC MNT NET PIDNS USERNS UTS
a147a3a5b35f fervent_stonebraker 1408 4026531835 4026532431 4026532429 4026532360 4026532432 4026531837 4026532430
I see different namespaces but
`nsenter`
requires a file name to switch to a PID namespace. SO I will use the PID information in above output.$ sudo nsenter --pid=/proc/1408/ns/pid
The above starts a shell for me in the PID namespace of my container. Now I want to change limits. Interesting to note here is that I change pid 1 as it is the PID of my bash shell in the container:
$ sudo prlimit --rss=-1 --memlock=33554432 --pid 1
Finally verify limits in my container shell:
bash-4.2$ ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 23534
max locked memory (kbytes, -l) 32768
max memory size (kbytes, -m) unlimited
open files (-n) 1048576
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 16384
cpu time (seconds, -t) unlimited
max user processes (-u) 1048576
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
One interesting thing is
`ps`
inside namespace. If I run these two$ ps -ef
$ sudo nsenter --pid=/proc/1408/ns/pid ps -ef
They will show exactly the same output. It is because I still have same
`/proc`
mounted even though my PID namespace is changed. And it is what `ps`
looks at.With
`nsenter`
you can switch any namespace, not only PID. I hope this is a useful short demonstration how to do fun things with linux namespaces.Some links:
- https://lwn.net/Articles/531114/ - namespaces overview series
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete