Linux - kamialie/knowledge_corner GitHub Wiki

Linux

Linux Namespaces

Each systems initially has one single namespace, where all system resources are shared. Additional namespaces can be created on demand.

There are multiple kinds on namespaces; a given process belong to one namespace of each kind (each isolating a certain group of resources):

  • Mount (mnt)
  • Process ID (pid)
  • Network (net) - each network interface belongs to exactly one namespace (but can be moved from one to another)
  • Inter-process communication (ipc)
  • UTS - hostname and domain name
  • User ID (user)

Linux Control Groups

Cgroups limit the resource usage of a process (or group of processes).

Kernel

sysctl is a kernel interface tool. Among other things it allows to view and modify kernel settings at runtime.

# Query kernel parameters
$ sysctl -a | grep <pattern>

# Query specific parameter; sysctl assumes that user is looking for /proc/sys
# directory, thus, "kernel" is a subdirectory within /proc/sys.
$ sysctl kernel/unprivileged_userns_apparmor_policy

# Change the setting
$ sysctl -w kernel/unprivileged_userns_apparmor_policy=0

Contents of files within /proc/sys are ephemeral, and will not retain after reboot. /etc/sysctl.conf file is a configuration file for sysctl, where persistent values for kernel settings can also be set. /etc/sysctl.d directory contains more files with settings.

Security

AppArmor

A Linux security kernel module (Ubuntu) that provides granular access control for programs.

An AppArmor profile is a set of rules that define what a program can do. Profile below denies writing data to disk:

#include <tunables/global>
profile k8s-deny-write flags=(attach_disconnected) {
    #include <abstractions/base>
    file,
    # Deny all file writes.
    deny /** w,
}

AppArmor profiles are loaded at a server level and activated in one of the following modes:

  • complain - simply generate a report on what the program is doing; usefull to find out normal operations of a program
  • enforce - actively prevent the program from doing anything that profile doesn't allow
# Load AppArmor profile; by default enforce mode is applied, add -C for
# complain mode.
$ sudo apparmor_parser <path_to_file>

AppArmor automatically loads (on server restart) profiles located at /etc/apparmor.d/ directory.

⚠️ **GitHub.com Fallback** ⚠️