9 Aralık 2022 Cuma

openssl req aracı İle CSR'yi İmzalamak Yani CSR'den Sertifika Üretmek

Giriş
CA : Certificate Authority belirtilir. Bu bir self signed certificate olabilir.
CAkey : Certificate Authority'nin private key dosyasıdır
out : Sertifika dosyasının ismidir

Örnek
CSR'den sertifika üretmek için şöyle yaparız. Burada minikube'a ait certificate authorities ve private key kullanılıyor.
openssl x509 -req rohan.csr 
  -CA ../minikube/ca.crt \ 
  -CAkey ../minikube/ca.key 
  -CAcreateserial \
  -out rohan.crt \
  -days 365
Örnek
Şöyle yaparız
openssl x509 \
    -req \
    -in host.csr \
    -CA self_signed.pem \
    -CAkey self_signed.key \
    -CAcreateserial \
    -out host.pem \
    -days 30 \
    -sha256


openssl req aracı İle Certificate Signing Requests (CSR) Üretmek

Giriş
Certificate Signing Requests (CSR) yaratmak içindir. CSR tiplerinden bazıları şöyle.
- PKCS #10 : Public-Key Cryptography Standards #10 CSR, RSA's CSR format.
- SPKAC : Signed Public Key and Challenge (SPKAC), Netscape's CSR format.
Bu araç PKCS#10 tipinden CSR üretir. Açıklaması şöyle.
PKCS#10 certificate request and certificate generating utility.
1. Önce elimizde bir private key olmalı
2. Bu private key "openssl req ..." ile CSR haline dönüştürülür

Seçenekler
key : private key dosyası belirtilir.
newkey
 :seçeneği ile kullanılacak algoritma belirtilir. Genellikle rsa:1024 , rsa:2048 , rsa:4096 seçilir.
nodes : Açıklaması şöyle. Private key dosyasının şifrelenmemesini sağlar.
The option -nodes is not the English word "nodes", but rather is "no DES". When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file.
keyout :seçeneği ile private key dosyası belirtilir.
out : seçeneği ile CSR dosyası belirtilir.

Private Key Dosyası Zaten Varsa
Bu durumda -key ile private key dosyası belirtilir.

Örnek
Önce bir Private key yaratırız. Şöyle yaparız
$ openssl genrsa -out rohan.key 2048
Daha sonra CSR yaratmak için şöyle yaparız
$ openssl req -new -key rohan.key -out rohan.csr -sub "/CN=rohan/0=marketingweb"

$ ll
... rohan.csr
... rohan.key
Örnek
Şöyle yaparız
openssl req -new -key <private-key-file.key> -out <CSR-file.csr>
Örnek
Şöyle yaparız
openssl req -new -key <pem_file>.pem -out <out-csr-file>.pem 
  -subj "/CN=admin/O=prod/O=dev/O=uat"
Açıklaması şöyle
This would create a CSR (Certificate Signing Request) for the username admin, belonging to three groups: prod, dev and uat
Private Key Dosyası Yoksa
-key belirtilmez ve private key dosyası da üretilir.

Örnek
Şöyle yaparız
openssl req -new \
    -newkey rsa:4096 \
    -nodes \
    -keyout host.key \
    -out host.csr \
    -subj '/CN=TestHost/C=US/ST=CA/L=SF/O=Test'

8 Aralık 2022 Perşembe

ssh Local Port Forwarding - Kendi Bilgisayarımdan Bir Başka Sunucuya Erişmek İçindir

Giriş
Local Port Forwarding için ssh komutunun -L ve -N seçenekleri birlikte kullanılır. 
Söz dizimi şöyle
ssh -L <local-port>:localhost:<remote-address:remote-port> <username>@<firewall-ip>
Daha kısa söz dizimi şöyle. Burada localhost yazmaya gerek yok
ssh -L local_port:remote_address:remote_port username@sshserver
-L seçeneği
ssh tunnel açmak için kullanılır. Açıklaması şöyle
The OpenSSH client has a command line option for port forwarding, used like this:

ssh -L localport:server:serverport user@host

which will connect to host as user, and at the same time redirecting localport on the client to serverport on server
-N seçeneği
Açıklaması şöyle.
-N    Do not execute a remote command.  This is useful for just forwarding ports.
Açıklaması şöyle.
Normally, the ssh program runs a command on a remote system. For example, ssh user@server ls -l /tmp lists the content of the /tmp directory on server. When you leave the command out, as in ssh user@server, the user's shell is executed.

One of the features of OpenSSH is the creation of tunnels. The -D, -L and -R options use various techniques that allow the forwarding of network ports, also known as tunneling. By default, a tunnel created with ssh exists as long as the command executed by ssh runs on the remote server.

Often though, you are not interested in running a remote command; all you want is the tunnel. This is what the -N option is for.
Örnek
Şöyle yaparız
ssh -L 8888:destination:5432 user@remote_host
Açıklaması şöyle
This command binds port 8888 on your local machine and forwards any incoming traffic to the database server running on destination:5432 on the remote server. Now, you can access the database server on the remote machine by connecting to localhost:8888 from your local machine.

Örnek
A -> Firewall -> B  olsun. A'dan Firewall'a erişim var.

A'dan B'ye erişmek için A'da şöyle yaparız. -N seçeneğinin kullanılma sebebi sadece tunnel görevi görmek, başka bir "remote command" çalıştırmamak.
ssh -N -L 33642:remotemachine:5900 user@firewall
A makinesinde şöyle yaparız.
$ telnet localhost 33642
Örnek
Şöyle yaparız. Burada firewall adresi 172.168.65.117. Erişmek istediğimiz sunucu da firewall'un arkasında ve ismi postgres.123456789012.us-east-1.rds.amazonaws.com.
ssh -L 5432:postgres.123456789012.us-east-1.rds.amazonaws.com:5432 ec2-user@172.168.65.117
Eğer sunucu da firewall üzerinde çalışsaydı şöyle yapardık
ssh -L 6379:localhost:6379 ec2-user@172.168.65.117
Örnek
Privileged port olan 80'i 3000 portuna yönlendirmek için şöyle yaparız.  -N seçeneğinin kullanılma sebebi sadece tunnel görevi görmek, başka bir "remote command" çalıştırmamak.
sudo ssh $USERNAME@localhost -L 80:localhost:3000 -N


21 Kasım 2022 Pazartesi

Secure Computing Mode - Seccomp - Bir Linux Kernel Özelliği

Amaç Nedir?
Amaç Access Control sağlamak. Açıklaması şöyle
Namespaces and cgroups provide a basic level of DDOS prevention and limit the attack surface to the host. But in certain scenarios, additional security measures are necessary. In particular, when running workloads and applications from untrusted users on cloud providers.

One way to add extra security is through access control.

Access control limits the access a container has to the host system, such as which files it can access and which system calls it can make. 
Access Control için kullanılan bazı çözümler şöyle
1.  AppArmor
Açıklaması şöyle
a mandatory access control system that assigns per-program profiles to restrict the capabilities of individual programs.
2.  SELinux - Security-Enhanced Linux
Açıklaması şöyle
another mandatory access control system that provides fine-grained control, but can be complex to set up. It was originally created by the NSA and merged into the Linux kernel in 2003.
3. Seccomp - Secure Computing Mode
Açıklaması şöyle. Yani diğer çözümlere göre daha hafif sıklet
a Linux kernel feature that restricts system calls made by programs, making it a simpler and lightweight alternative to AppArmor and SELinux, useful in situations where only a limited set of system calls need to be restricted.
Açıklaması şöyle. Yani Seccomp her yerde mevcut, diğer çözümleri kurmak gerekiyor
By default, container engines like Docker do not use access control systems, but they can be enabled. seccomp is available on all Linux servers while AppArmor and SELinux are only available on distributions that have them enabled.
Açıklaması şöyle. Burada container denilmiş ancak esas amaç bir uygulamanın belirli bir sistem çağrını yapmasını engellemek
To restrict system calls from containers we can use Seccomp (secure computing mode). Using the Seccomp utility we can limit the syscalls a process/container can make to the Linux kernel.
Şeklen şöyle




11 Kasım 2022 Cuma

bash arithmetic expansion

Giriş
Açıklaması şöyle. Yani bash sadece tam sayılar ile çalışır.
... Bash is only capable of handling integers, not floating point numbers, as explained in Arithmetic Expansion. If you try to sum floating point numbers, you will get the invalid arithmetic operator error.
Söz Dizimi
C=$((...))
Örnek - Hatalı Kod
Şöyle yaparız. Tam sayı olmadığı için hata alırız
#!/bin/bash
A='5'
B='6.4'
C=$(($A + $B))
echo $C
Bu gibi durumlarda bc komutunu kullanabiliriz. Şöyle yaparız.
#!/bin/bash
A='5'
B='6.4'
C=$(echo $A + $B | bc) 
echo $C

27 Ekim 2022 Perşembe

sockperf komutu

Örnek
Şöyle yaparız
on the server: sockperf server -i 224.4.4.4 -p 1234
on the client: sockperf ping-pong -i 224.4.4.4 -p 1234

26 Ekim 2022 Çarşamba

Ethernet Bonding

Giriş
Bazı bonding modları şöyle
broadcast
balance-alb
balance-xor
balance-rr

broadcast
Açıklaması şöyle
broadcast mode largely exists just to provide a bonding mode that can handle the loss of a bound interface without any disruption whatsoever (active-backup mode, which provides similar fault-tolerance, will show a small latency spike if the active bound interface goes down because it has to reroute traffic and force updates of external ARP caches). It’s realistically only usable on layer 2 point-to-point links between systems that are both using the bonding driver (possibly even the same mode), and gives you no performance benefits.
balance-rr
Açıklaması şöyle
balance-rr mode is instead designed to have minimal overhead, irrespective of whatever other constraints exist, and it actually does translate to evenly balancing the load across all bound interfaces. The problem is that if there is more than one hop below layer 3, this mode cannot provide packet ordering guarantees, which in turn causes all kinds of issues with congestion control algorithms, functionally capping effective bandwidth. It is also, in practice, only usable on layer 2 point-to-point links between systems that are both using the bonding driver.
Bir soru ve cevap şöyle
Q : Linux is capable of bonding NICs together. The interesting policy for this is Round-robin, which alternates outgoing packets between each NIC.

A : For the single flow, any bandwidth gain in the direction from the switch to the client is highly unlikely.

...

So any bandwidth gain for single flow is HIGHLY unlikely. You may see some gain using multiple flows, depending on hashing policy the switch uses and the server configured (see xmit_hash_policy for what's available, you will need policy policy which includes L4 information to gain anything between two specific hosts).
balance-alb
Açıklaması şöyle
Assuming your switch plays nice with it, you probably want balance-alb mode, as it will give you the best overall link utilization spread across the links. However, some network hardware does not like how that mode handles receive load balancing, in which case you almost certainly instead want 802.3ad mode (if your switch supports it, and all the bound interfaces are connected to the same switch) or balance-xor (does the same thing, but the switch has to infer what’s going on, so does not work as well in all cases).

20 Ekim 2022 Perşembe

Mac OS X brew komutu

Resmi olmayan package manager. Eskiden Mac OS  için paket yöneticisi olarak MacPorts veya Fink kullanılırdı. brew kullanmak daha kolay

Brew Kurulumu
Şöyle yaparız
/bin/bash \
  -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew kurulduktan sonra path'e eklemek lazım.  "~/.zshrc" dosyasında şöyle yaparız
export PATH="$PATH:/opt/homebrew/bin/"
install seçeneği
Yeni paketi kurar
Örnek
brew install gnuplot
services seçeneği
Örnek
Şöyle yaparız
> brew install redis
> brew services start redis

tap seçeneği
Örnek
Şöyle yaparız
brew tap hazelcast/hz

brew install hazelcast@5.2.1


13 Ekim 2022 Perşembe

supervisor

Kurulum
Kurmak için şöyle yaparız
apt-get install -y supervisor
Örnek
Şöyle yaparız. Burada sadece son iki bölüm bizim uygulamamız için gerekli tanımlardır
[unix_http_server]
file=/tmp/supervisor.sock   ; the path to the socket file
;chmod=0700                 ; socket file mode (default 0700)
;chown=nobody:nogroup       ; socket file uid:gid owner
username=admin              ; default is no username (open server)
password=admin              ; default is no password (open server)

[inet_http_server]         ; inet (TCP) server disabled by default
port=127.0.0.1:9001       ; ip_address:port specifier, *:port for all iface
username=admin              ; default is no username (open server)
password=admin               ; default is no password (open server)

[supervisord]
logfile=/tmp/supervisord.log ; main log file; default $CWD/supervisord.log
logfile_maxbytes=50MB        ; max main logfile bytes b4 rotation; default 50MB
logfile_backups=10           ; # of main logfile backups; 0 means none, default 10
loglevel=info                ; log level; default info; others: debug,warn,trace
pidfile=/tmp/supervisord.pid ; supervisord pidfile; default supervisord.pid
nodaemon=true               ; start in foreground if true; default false
minfds=1024                  ; min. avail startup file descriptors; default 1024
minprocs=200                 ; min. avail process descriptors;default 200
;umask=022                   ; process file creation umask; default 022
user=root            ; setuid to this UNIX account at startup; recommended if root

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket

[program:customer-service]
command=java -jar /app/customer-service-0.0.1-SNAPSHOT.jar
startsecs=10
directory=/app
stdout_logfile=/app/customer-service.log
stdout_logfile=/app/customer-service.err


[program:lucky-winner-service]
command=java -jar /app/lucky-winner-0.0.1-SNAPSHOT.jar
startsecs=10
directory=/app
stdout_logfile=/app/lucky-winner-service.log
stdout_logfile=/app/lucky-winner-service.err


8 Ekim 2022 Cumartesi

Quick Emulator - QEMU

Giriş
Açıklaması şöyle
QEMU was the brainchild of Fabrice Bellard.
QEMU Nedir
Açıklaması şöyle
a fast full-system emulator translating between pretty much every processor architecture.
Açıklaması şöyle
How emulators worked before QEMU

I first heard of QEMU around 2006. I was into computer architecture from my early days, and most emulators at the time would simply naively translate instructions from into the emulated architecture at runtime.

QEMU, on the other hand, employed a “Tiny Code Generator” to translate instructions through JIT compilation. It wasn’t as fast as running natively, but for a variety of applications it was fast enough and for many use cases it felt like pure miracle. QEMU also had its own emulation for common physical devices you would expect to find, its own disk image format, and much more.



5 Ekim 2022 Çarşamba

ssh-keyscan komutu

Giriş
Açıklaması şöyle
ssh-keyscan is a utility for gathering the public SSH host keys of a number of hosts. It was designed to aid in building and verifying ssh_known_hosts files, the format of which is documented in sshd(8). ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts.
Örnek
Şöyle yaparız
# Delete the entry for the old IP
ssh-keygen -R $OLD_IP

# Add entry for the new IP
ssh-keyscan $NEW_IP >> ~/.ssh/known_hosts
-H seçeneği
Çıktıyı hashed formatta almak için kullanılır
Örnek
Şöyle yaparız
ssh-keyscan -H $NEW_IP >> ~/.ssh/known_hosts


2 Ekim 2022 Pazar

rtcwake komutu - Bilgisayarı Kapatır ve Belirtilen Zamanda Uyandırır

-m seçeneği
mode olarak şunlar kullanılabilir
- standby
- freeze
- mem
- disk
- off
- no : suspend etmez
- on
- disable
- show

Örnek
Şöyle yaparız. Saat 16'da bilgisayarı uyandırır
sudo rtcwake -m no -l -t "$(date -d 'today 16:00:00' '+%s')"
chrontab'da kullanmak için şöyle yaparız
@reboot root /usr/bin/rtcwake -m no -l -t "$(/usr/bin/date -d 'today 16:00:00' '+%s')"
-s seçeneği
Kaç saniye sonra uyandırılacağını belirtir
Örnek
Şöyle yaparız. Saat 23'te suspend eder ve 12 saat sonra uyandırır
0 23 * * *  root /usr/bin/rtcwake -m disk -s 60*60*12

18 Eylül 2022 Pazar

init.d Nedir

init.d vs systemd
Hangisini kullandığımızı anlamanın en kolay yolu şöyle. Eğer gerçekten systemd kullanılıyorsa ayrıca systemctl komutu da olmalı. WSL Linux'ta systemd kullanılıyor gibi görünse de aslında kullanmıyor
$ file /sbin/init
/sbin/init: symbolic link to /lib/systemd/systemd
Örnek 
/etc/init.d altında bir dosya yaratırız. Şöyle yaparız
cd /etc/init.d
touch mysqld_multi
chmod +x /etc/init.d/mysqld_multi
Bu dosyaya çalışmasını istediğimiz komutları yazarız. Daha sonra servisi bilgisayar açılırken çalışır hale getiririz. Şöyle yaparız
# Add mysqld_multi service to the default runlevels with the following command:

update-rc.d mysqld_multi defaults


14 Eylül 2022 Çarşamba

pidstat komutu

Giriş
Açıklaması şöyle
A common (and pretty good) answer is to use top. But there is one issue with top it’s difficult to copy the output to a scratch pad where you keep details about your debugging or if you’d want to send the output to someone else.

To get an output which is easy to read and copy friendly, run pidstat | head -n 20 or e.g. pidstat -u 5 60 to get updates every 5 seconds for the next 6 seconds.
Örnek
Şöyle yaparız
$ pidstat | head -n 20
Linux 5.13.0-40-generic (tsunami)       05/03/2022      _x86_64_        
(8 CPU)
UID       PID    %usr %system  %wait    %CPU   CPU  Command
  0         1    0.00    0.01   0.00    0.01     7  systemd
  0         2    0.00    0.00   0.00    0.00     1  kthreadd
  0        12    0.00    0.00   0.00    0.00     0  ksoftirqd/0
  0        13    0.00    0.06   0.02    0.06     7  rcu_sched
  0        14    0.00    0.00   0.00    0.00     0  migration/0
  0        19    0.00    0.00   0.00    0.00     1  migration/1
  0        20    0.00    0.00   0.00    0.00     1  ksoftirqd/1
Açıklaması şöyle
%usr to find high user space time allocation. This would indicate an application in need of scaling for example.

%system to find high system / kernel space time allocation. Remember that this could be due to driver issues or other similar kernel level problems.

%wait would yet again indicate I/O latencies.





mpstat komutu

-P seçeneği
Açıklaması şöyle
mpstat -P ALL 1 will give you statistics similar to vmstat but with a per CPU breakdown.
Örnek
Şöyle yaparız
$ mpstat -P ALL 1 15:11:50
Linux 5.13.0-40-generic (tsunami)       05/03/2022      _x86_64_        (8 CPU)
CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %idle
all    6.67    0.00    2.52    0.00    0.00    0.13    0.00  90.69
  0    4.00    0.00    2.00    0.00    0.00    0.00    0.00  94.00
  1   10.10    0.00    4.04    0.00    0.00    0.00    0.00  85.86
  2    8.08    0.00    1.01    0.00    0.00    0.00    0.00  90.91
  3    4.04    0.00    1.01    0.00    0.00    0.00    0.00  94.95
  4    4.04    0.00    3.03    0.00    0.00    1.01    0.00  91.92
  5   10.00    0.00    1.00    0.00    0.00    0.00    0.00  89.00
  6    7.07    0.00    3.03    0.00    0.00    0.00    0.00  89.90
  7    6.00    0.00    5.00    0.00    0.00    0.00    0.00  89.00



uptime komutu

Örnek
Şöyle yaparız
$ uptime 11:19:45 up 1:43, 37 users, load average: 2.44, 2.35, 2.40
Açıklaması şöyle
The last three numbers indicate the load average for the last 1, 5, & 15 minutes.

9 Eylül 2022 Cuma

/dev/stdin Dosyası

Giriş
Açıklaması şöyle. Yani Linux'ta bu dosyadan okumak aslında stin'in tüketmez.
The /dev/stdin, /dev/stdout, /dev/stderr and /dev/fd/x are special files that were added to various Unices in the 80s so the file descriptors of a process could be referred to by name.

On those Unices, opening /dev/stdin (a character device file) got you a file descriptor that was a duplicate of stdin (fd 0), so the equivalent of doing dup(0)³.

When Linux added a similar feature in the '90s, the implementation was significantly different and incompatible.

On Linux, those /dev/std..., /dev/fd/x files are not special character device files but symbolic links to /proc/self/fd/x, and those in turn are magic symlinks to the file that is opened on fd x.

So, opening /dev/stdin there is not the same as dup(0); it's opening the original file anew assuming you have permissions to do so, and from the start (not at the offset stdin is currently pointing within the file) and in the requested mode. That also means that if you're reading/writing/seeking from the fd you get which is independent from fd 0, you're not updating stdin's offset within the file.

Cygwin copied the Linux way when it added a similar feature in the 2000s. Most if not all other Unices behave the original way (when they support those /dev/fd/x at all).


6 Eylül 2022 Salı

FreeBSD Nedir

Giriş
Açıklaması şöyle
FreeBSD underpins macOS. This is not Linux, but it is Unix, so they have a reasonable degree of similarity, especially in terms of commands, shell, etc. However, there is a fair degree of divergence under the covers: macOS does not offer the same fine-grain control. This can negatively impact you if you intend to do low-latency development. For example, you want to control which cores your threads are pinned to. 


23 Ağustos 2022 Salı

cgcreate komutu - Grup Yaratma

Giriş
1. cgcreate ile grup yarattıktan sonra cgset komutu ile gruba kaynak ayrılır
2. cgexec ile uygulamalar çalıştırılırken grupları belirtilir.

-g seçeneği
Örnek - memory
Şöyle yaparız. Burada "/sys/fs/cgroup/memory/my-process" isimli dizinde belleği sınırlandırılmış kaynaklar görülür
sudo cgcreate -g memory:my-process
Bu kaynağı kullanan bash yaratmak için şöyle yaparız
$ sudo cgexec -g memory:my-process bash
root@cgroup:~#
Bu kayanğı kullanan ve farklı bir namespace içinde  bash yaratmak için şöyle yaparız
$ sudo cgexec -g cpu,memory:my-process \
  unshare -uinpUrf --mount-proc \
  sh -c "/bin/hostname my-process && chroot mktemp -d /bin/sh"
Örnek - cpu
Şöyle yaparız. Burada tarayıcıya az işlemci gücü ayrılıyor
# you might need to create the right mountpoints first
sudo mkdir /sys/fs/cgroup/cpu
sudo mount -t cgroup -o cpu cpu /sys/fs/cgroup/cpu

# Create a group that controls `cpu` allotment, called `/browser`
sudo cgcreate -g cpu:/browser
# Create a group that controls `cpu` allotment, called `/important`
sudo cgcreate -g cpu:/important

# allocate few shares to your `browser` group, and many shares of the CPU time to the
# `important` group.
sudo cgset -r cpu.shares=128 browser sudo cgset -r cpu.shares=1024 important cgexec -g cpu:browser chromium --incognitio cgexec -g cpu:important make -j10 #or whatever
-r seçeneği
Grubu siler
Örnek
Şöyle yaparız
# Creating a cgroup.
sudo cgcreate -g cpu,memory:$UUID

# Set up a limit memory for this cgroup.
sudo cgset -r memory.limit_in_bytes=100000000 $UUID

# Set up a limit CPU for this cgroup.
sudo cgset -r cpu.shares=512 $UUID && 
sudo cgset -r cpu.cfs_period_us=1000000 $UUID && 
sudo cgset -r cpu.cfs_quota_us=2000000 $UUID

# Creating a container.
sudo cgexec -g cpu,memory:$UUID unshare -uinpUrf --mount-proc sh 
  -c "/bin/hostname $UUID && chroot $ROOTFS /bin/sh"

# Deleting this cgroup.
sudo cgdelete -r -g cpu,memory:$UUID


8 Ağustos 2022 Pazartesi

Namespace Nedir? - Sanal Bir Ortam Yaratır

Giriş
Açıklaması şöyle. Namespace'ler sayesinde LCX ve Docker gibi container teknolojileri mümkün oldu.
The building blocks of multi-tenancy are Linux namespaces, the very technology that makes LXC, Docker, and other kinds of containers possible.
Açıklaması şöyle
Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources.
Sanal bir ortam yaratılması gibi düşünülebilir. Namespace'ler şöyle. Her birisi farklı işe yararlar.
1. Network Namespace
2. PID (Process Id) Namespace
3. Mount Namespace
4. Unix Time-sharing System (UTS) Namespace
5. User Namespace

Network Namespace
Açıklaması şöyle
The networking namespace allows us to run the program on any port without conflict with other processes running on the same computer.
Açıklaması şöyle.
Only allows access to certain network devices. It has its own firewall, route rules, and socket port numbers. As an outcome, it is not able to see all traffic or contact all endpoints
PID (Process Id) Namespace
Açıklaması şöyle. Farklı PID Namespace içindeki process'ler birbirlerini "ps aux" komutu ile göremezler. Process'leri izole eder
... the PID namespace makes it so that a process can only see PIDs in its own namespace, and therefore cannot send kill signals to random processes on the host.
Açıklaması şöyle
This type of namespace will isolate processes from each other. One process cannot see others, and also same process ID can exist in multiple namespaces. Such as — Process ID 1 can exist multiple times, but once in every namespace.
Mount Namespace
Açıklaması şöyle
Mount namespace allows you to mount and unmount the filesystem without affecting the host filesystem.
Açıklaması şöyle.
Mount namespace: has an independent list of mount points seen by the processes in the corresponding namespace. This means that we can mount and unmount filesystems in a mount namespace without affecting the host filesystem.
User Namespace
Açıklaması şöyle.
A different set of user ids and group ids are used. Such as — A user (0) inside one namespace can be different from the user (0) inside another namespace.
unshare komutu
Yeni bir PID (Process Id) Namespace içinde bash çalıştırmak için  şöyle yaparız
sudo unshare --fork --pid --mount-proc bash