20250405 Deck3 Flashcards
What are Linux namespaces in simple terms?
Namespaces are a Linux kernel feature that isolate resources (like processes, network, filesystems) so that a process thinks it’s running in its own independent environment.
Name 3 types of Linux namespaces used in containerization.
• pid – isolates process IDs
• net – isolates networking (interfaces, IPs)
• mnt – isolates mount points/filesystems
Also: user, uts, ipc, cgroup
What is the purpose of the unshare command in Linux?
It creates new namespaces for a process, allowing it to run with isolated system properties like hostname, network, or mount points.
What does unshare -u bash do?
It starts a new bash shell in a new UTS (hostname) namespace, allowing the user to change the hostname without affecting the rest of the system.
What is the UTS namespace used for in Linux?
It isolates the system’s hostname and domain name, allowing processes to set custom hostnames independently.
What are cgroups (control groups) in Linux?
Cgroups are a kernel feature that limit, track, and isolate the resource usage (CPU, memory, I/O, etc.) of groups of processes.
Give an example of how Docker uses cgroups.
When you run docker run --memory=512m --cpus=1, Docker uses cgroups to enforce those resource limits on the container.
What resources can be controlled with cgroups?
Memory, CPU, block I/O, number of processes (PIDs), and more.
What are Linux capabilities and why were they introduced?
Capabilities split root privileges into fine-grained units so that processes can be granted some powers (like binding to port 80) without full root access.
What does CAP_NET_BIND_SERVICE allow a process to do?
Bind to low-numbered ports (like 80 or 443) without full root privileges.
How do you give a Docker container permission to modify its own network settings?
Use --cap-add=NET_ADMIN when running the container.
What’s a secure way to run containers with limited privileges?
Drop all capabilities using --cap-drop=ALL, then add only the ones needed using --cap-add=....
