ipc命名空间
概述
主要能力
提供进程间通信的隔离能力
ipc命名空间隔离性验证
获取当前进程
ID
[root@localhost ~]# echo $$
49265
在这里为了方面解释,我们定义进程ID
为49265
的进程名称为PID-A
查看当前进程命名空间信息
[root@localhost ~]# ls -l /proc/$$/ns
total 0
lrwxrwxrwx 1 root root 0 Jul 14 07:27 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 net -> net:[4026531992]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 pid_for_children -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jul 14 07:27 uts -> uts:[4026531838]
查看
PID-A
进程ipc
信息
[root@localhost ~]# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 2 gdm 777 16384 1 dest
0x00000000 5 gdm 777 7372800 2 dest
------ Semaphore Arrays --------
key semid owner perms nsems
使用
unshare
隔离ipc namespace
unshare --ipc /bin/bash
查看进程ID
,发现已变更
[root@localhost ~]# echo $$
62293
在这里为了方面解释,我们定义进程ID
为62293
的进程名称为PID-B
查看两个进程关系,显然PID-A
与PID-B
为父子关系的两个进程
[root@localhost ~]# ps -ef|grep 62293
root 62293 49265 0 07:33 pts/0 00:00:00 /bin/bash
root 62430 62293 0 07:33 pts/0 00:00:00 ps -ef
root 62431 62293 0 07:33 pts/0 00:00:00 grep --color=auto 62293
查看
PID-B
进程的ipc
信息
[root@localhost ~]# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
------ Semaphore Arrays --------
key semid owner perms nsems
显然与PID-A
进程不一致
测试:
PID-B
创建一个消息队列,是否PID-A
中可以看到
[root@localhost ~]# ipcmk --queue
Message queue id: 0
[root@localhost ~]# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
0x6c54b6c4 0 root 644 0 0
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
------ Semaphore Arrays --------
key semid owner perms nsems
新开一个ssh
链接(会产生新的进程),查看是否可以看到PID-B
中消息队列
[root@localhost ~]# echo $$
49857
[root@localhost ~]# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
显然无法查看,隔离验证成功!
查看
PID-B
进程命名空间信息
[root@localhost ~]# ls -l /proc/62293/ns
total 0
lrwxrwxrwx 1 root root 0 Jul 14 07:47 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 ipc -> ipc:[4026532765]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 net -> net:[4026531992]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 pid_for_children -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jul 14 07:47 uts -> uts:[4026531838]
对比PID-A
,发现二者区别仅为ipc
不同
IPC实现方式
Linux
进程通信方式
- 信号量
- 共享内存
- 消息队列
- 管道
- 信号
- 套接字通信
其中信号量
,共享内存
,消息队列
基于内核的IPC命名空间
实现
[root@localhost ~]# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
0x84300480 0 root 644 0 0
0xba58165a 1 root 644 0 0
0xb5be9e2a 2 root 644 0 0
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 2 gdm 777 16384 1 dest
0x00000000 5 gdm 777 7372800 2 dest
------ Semaphore Arrays --------
key semid owner perms nsems