network

8a10808f854b42568797_010502_Provincial_10-10-11_D1JGMRD_1

Since a few months ago, the containerization of processes becomes in the new virtualization for modern devops.

Of course we are old devops, you know, and nothing special are in containerization that we didn’t use years ago. There are some poor man’s alternative to new tools, like docker or vagrant, but in the old-school way.

The forgotten chroot

Years ago chroot was forgotten for unspecific reasons. The truth is that we can use chroot to create a good way of containerization if we don’t need copy-on-write or network capabilities. This is a very portable way which requires only root privileges, but none special capability enabled in kernel config (very useful for restricted VPS).

You have also a number of non-root alternatives based on ptree, like proot. The use of ptrace is deeper enough to write another article per se. Stay tuned!

LD_PRELOAD

You can do very interesting things with LD_PRELOAD variable. If set the GNU dynamic liker load the library defined in variable in the process context, linking the symbols. So you can override methods like open (2) or write (2). Using this way you can implement a easy-to-use copy on write system which do not require anything special. No root privileges, no special configs in kernel.

Of course there are a number of implementations of this idea. My favorite one is fl-cow, which comes in debian package (officially maintained in Debian and Ubuntu).

unshare

The “new” member of system functions since linux 2.6.16 is the unshare (1) system call, which comes with user space tool unshare (1). The unshare function allow to disassociate parts of the process execution context. That means that you can run a process with different filesystem space for example. It’s very useful when you need to handle mount points for your “containers”.

My favorite tool to handle unshare, clone and others is dive. A tool created by Vitaly Shukela which allows you to run process with different mountpoints, and other capabilities, like cgroups or network namespaces, which will see in next paragraph.

Network namespaces

Since kernel 2.6.24, linux kernel has the ability to create network namespaces. Namespaces is a way to create different network adapters and route tables based in the process context. So you process can handle a “virtual” interface in a simple way.

Scott Lowe wrote some years ago (nothing new here) a really good introduction to namespaces in GNU/Linux using iproute2.

With NS you can easily define a number of hosts with connectivity between them (using loopback) so, your pseudo-containers can use network. It’s very useful when you need to test master-slave configurations.

Conclusions

Of course the containerization is one of most active area in devops today. A lot of good developments like docker are emerging in the horizon, but if you don’t need a more complex systems, this solutions can help you. Furthermore, most of these principles are in the base of how modern containerization systems actually works.

tcptraceroute was another friend of the network administrator. Probably you known classical traceroute, which use the TTL field in IP header to determinate the hops in the route to a specific destination. In each hop the TTL value is decreasing (according to internet protocol), and when TTL is equal to cero, a ICMP is returned to sender IP. So, the classical traceroute technique, send a UDP packet with TTL field setted to 1, and get the IP address of the first hop from returned ICMP, and likewise for other hops.

Unfortunately, today many host are firewalled and ICMPs are blocking. The classical traceroute design fails, and we only obtain a list of useless “*”. The tcptraceroute use TCP packets instead of UDP packets, and try to connect to usual port enabling the SYN flag. If port is closed, a RST flag is returned, and if port is open then return an ACK flag. So we don’t need ICMPs anymore.