Here's a preview from my zine, How Containers Work!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
read the transcript!
processes use their parent’s namespaces by default
parent, represented by a box with a smiley face: I’m in the host network namespace!
child, represented by a smaller box with a smiley face (created with ‘clone’ syscall): me too!
but you can switch namespaces at any time
box with a smiley face: I’m starting a container so it needs its own namespaces
command line tools
$ unshare --net COMMAND: run COMMAND in a new network namespace$ sudo lsns: list all namespaces$ nsenter -t PID --all COMMAND: run COMMAND in the same namespaces as PID
namespace system calls
- clone: make a new process
- unshare: make + use a namespace
- setns: use an existing namespace
clone lets you create new namespaces for a child process
parent: clone (... CLONE_NEWNET)
child: I have my own network namespace!
each namespace type has a man page
$ man network_namespaces
...
A physical network device
can live in exactly one
network namespace.
Saturday Morning Comics!
Want another comic like this in your email every Saturday? Sign up here!
