openssl req aracı İle CSR'yi İmzalamak Yani CSR'den Sertifika Üretmek

Giriş

CA : Certificate Authority belirtilir. Bu bir self signed certificate olabilir.

CAkey : Certificate Authority'nin private key dosyasıdır

out : Sertifika dosyasının ismidir

Örnek

CSR'den sertifika üretmek için şöyle yaparız. Burada minikube'a ait certificate authorities ve private key kullanılıyor.

openssl x509 -req rohan.csr 
  -CA ../minikube/ca.crt \ 
  -CAkey ../minikube/ca.key 
  -CAcreateserial \
  -out rohan.crt \
  -days 365

Örnek

Şöyle yaparız

openssl x509 \
    -req \
    -in host.csr \
    -CA self_signed.pem \
    -CAkey self_signed.key \
    -CAcreateserial \
    -out host.pem \
    -days 30 \
    -sha256

openssl req aracı İle Certificate Signing Requests (CSR) Üretmek

Giriş

Certificate Signing Requests (CSR) yaratmak içindir. CSR tiplerinden bazıları şöyle.

- PKCS #10 : Public-Key Cryptography Standards #10 CSR, RSA's CSR format.
- SPKAC : Signed Public Key and Challenge (SPKAC), Netscape's CSR format.

Bu araç PKCS#10 tipinden CSR üretir. Açıklaması şöyle.

PKCS#10 certificate request and certificate generating utility.

1. Önce elimizde bir private key olmalı

2. Bu private key "openssl req ..." ile CSR haline dönüştürülür

Seçenekler

key : private key dosyası belirtilir.

newkey :seçeneği ile kullanılacak algoritma belirtilir. Genellikle rsa:1024 , rsa:2048 , rsa:4096 seçilir.

nodes : Açıklaması şöyle. Private key dosyasının şifrelenmemesini sağlar.

The option -nodes is not the English word "nodes", but rather is "no DES". When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file.

keyout :seçeneği ile private key dosyası belirtilir.
out : seçeneği ile CSR dosyası belirtilir.

Private Key Dosyası Zaten Varsa

Bu durumda -key ile private key dosyası belirtilir.

Örnek

Önce bir Private key yaratırız. Şöyle yaparız

$ openssl genrsa -out rohan.key 2048

Daha sonra CSR yaratmak için şöyle yaparız

$ openssl req -new -key rohan.key -out rohan.csr -sub "/CN=rohan/0=marketingweb"

$ ll
... rohan.csr
... rohan.key

Örnek

Şöyle yaparız

openssl req -new -key <private-key-file.key> -out <CSR-file.csr>

Örnek
Şöyle yaparız

openssl req -new -key <pem_file>.pem -out <out-csr-file>.pem 
  -subj "/CN=admin/O=prod/O=dev/O=uat"

Açıklaması şöyle

This would create a CSR (Certificate Signing Request) for the username admin, belonging to three groups: prod, dev and uat

Private Key Dosyası Yoksa

-key belirtilmez ve private key dosyası da üretilir.

Örnek

Şöyle yaparız

openssl req -new \
    -newkey rsa:4096 \
    -nodes \
    -keyout host.key \
    -out host.csr \
    -subj '/CN=TestHost/C=US/ST=CA/L=SF/O=Test'

ssh Local Port Forwarding - Kendi Bilgisayarımdan Bir Başka Sunucuya Erişmek İçindir

Giriş

Local Port Forwarding için ssh komutunun -L ve -N seçenekleri birlikte kullanılır. 

Söz dizimi şöyle

ssh -L <local-port>:localhost:<remote-address:remote-port> <username>@<firewall-ip>

Daha kısa söz dizimi şöyle. Burada localhost yazmaya gerek yok

ssh -L local_port:remote_address:remote_port username@sshserver

-L seçeneği

ssh tunnel açmak için kullanılır. Açıklaması şöyle

The OpenSSH client has a command line option for port forwarding, used like this:

ssh -L localport:server:serverport user@host

which will connect to host as user, and at the same time redirecting localport on the client to serverport on server

-N seçeneği

Açıklaması şöyle.

-N    Do not execute a remote command.  This is useful for just forwarding ports.

Açıklaması şöyle.

Normally, the ssh program runs a command on a remote system. For example, ssh user@server ls -l /tmp lists the content of the /tmp directory on server. When you leave the command out, as in ssh user@server, the user's shell is executed.

One of the features of OpenSSH is the creation of tunnels. The -D, -L and -R options use various techniques that allow the forwarding of network ports, also known as tunneling. By default, a tunnel created with ssh exists as long as the command executed by ssh runs on the remote server.

Often though, you are not interested in running a remote command; all you want is the tunnel. This is what the -N option is for.

Örnek

Şöyle yaparız

ssh -L 8888:destination:5432 user@remote_host

Açıklaması şöyle

This command binds port 8888 on your local machine and forwards any incoming traffic to the database server running on destination:5432 on the remote server. Now, you can access the database server on the remote machine by connecting to localhost:8888 from your local machine.

Örnek

A -> Firewall -> B  olsun. A'dan Firewall'a erişim var.

A'dan B'ye erişmek için A'da şöyle yaparız. -N seçeneğinin kullanılma sebebi sadece tunnel görevi görmek, başka bir "remote command" çalıştırmamak.

ssh -N -L 33642:remotemachine:5900 user@firewall

A makinesinde şöyle yaparız.

$ telnet localhost 33642

Örnek

Şöyle yaparız. Burada firewall adresi 172.168.65.117. Erişmek istediğimiz sunucu da firewall'un arkasında ve ismi postgres.123456789012.us-east-1.rds.amazonaws.com.

ssh -L 5432:postgres.123456789012.us-east-1.rds.amazonaws.com:5432 ec2-user@172.168.65.117

Eğer sunucu da firewall üzerinde çalışsaydı şöyle yapardık

ssh -L 6379:localhost:6379 ec2-user@172.168.65.117

Örnek

Privileged port olan 80'i 3000 portuna yönlendirmek için şöyle yaparız.  -N seçeneğinin kullanılma sebebi sadece tunnel görevi görmek, başka bir "remote command" çalıştırmamak.

sudo ssh $USERNAME@localhost -L 80:localhost:3000 -N




Secure Computing Mode - Seccomp - Bir Linux Kernel Özelliği

Amaç Nedir?

Amaç Access Control sağlamak. Açıklaması şöyle

Namespaces and cgroups provide a basic level of DDOS prevention and limit the attack surface to the host. But in certain scenarios, additional security measures are necessary. In particular, when running workloads and applications from untrusted users on cloud providers.

One way to add extra security is through access control.

Access control limits the access a container has to the host system, such as which files it can access and which system calls it can make. 

Access Control için kullanılan bazı çözümler şöyle

1.  AppArmor

Açıklaması şöyle

a mandatory access control system that assigns per-program profiles to restrict the capabilities of individual programs.

2.  SELinux - Security-Enhanced Linux

Açıklaması şöyle

another mandatory access control system that provides fine-grained control, but can be complex to set up. It was originally created by the NSA and merged into the Linux kernel in 2003.

3. Seccomp - Secure Computing Mode

Açıklaması şöyle. Yani diğer çözümlere göre daha hafif sıklet

a Linux kernel feature that restricts system calls made by programs, making it a simpler and lightweight alternative to AppArmor and SELinux, useful in situations where only a limited set of system calls need to be restricted.

Açıklaması şöyle. Yani Seccomp her yerde mevcut, diğer çözümleri kurmak gerekiyor

By default, container engines like Docker do not use access control systems, but they can be enabled. seccomp is available on all Linux servers while AppArmor and SELinux are only available on distributions that have them enabled.

Açıklaması şöyle. Burada container denilmiş ancak esas amaç bir uygulamanın belirli bir sistem çağrını yapmasını engellemek

To restrict system calls from containers we can use Seccomp (secure computing mode). Using the Seccomp utility we can limit the syscalls a process/container can make to the Linux kernel.

Şeklen şöyle

bash arithmetic expansion

Giriş

Açıklaması şöyle. Yani bash sadece tam sayılar ile çalışır.

... Bash is only capable of handling integers, not floating point numbers, as explained in Arithmetic Expansion. If you try to sum floating point numbers, you will get the invalid arithmetic operator error.

Söz Dizimi

Şöyledir

C=$((...))

Örnek - Hatalı Kod

Şöyle yaparız. Tam sayı olmadığı için hata alırız

#!/bin/bash
A='5'
B='6.4'
C=$(($A + $B))
echo $C

Bu gibi durumlarda bc komutunu kullanabiliriz. Şöyle yaparız.

#!/bin/bash
A='5'
B='6.4'
C=$(echo $A + $B | bc) 
echo $C

sockperf komutu

Örnek

Şöyle yaparız

on the server: sockperf server -i 224.4.4.4 -p 1234
on the client: sockperf ping-pong -i 224.4.4.4 -p 1234

Ethernet Bonding

Giriş

Bazı bonding modları şöyle

broadcast

balance-alb

balance-xor

balance-rr

broadcast

Açıklaması şöyle

broadcast mode largely exists just to provide a bonding mode that can handle the loss of a bound interface without any disruption whatsoever (active-backup mode, which provides similar fault-tolerance, will show a small latency spike if the active bound interface goes down because it has to reroute traffic and force updates of external ARP caches). It’s realistically only usable on layer 2 point-to-point links between systems that are both using the bonding driver (possibly even the same mode), and gives you no performance benefits.

balance-rr

Açıklaması şöyle

balance-rr mode is instead designed to have minimal overhead, irrespective of whatever other constraints exist, and it actually does translate to evenly balancing the load across all bound interfaces. The problem is that if there is more than one hop below layer 3, this mode cannot provide packet ordering guarantees, which in turn causes all kinds of issues with congestion control algorithms, functionally capping effective bandwidth. It is also, in practice, only usable on layer 2 point-to-point links between systems that are both using the bonding driver.

Bir soru ve cevap şöyle

Q : Linux is capable of bonding NICs together. The interesting policy for this is Round-robin, which alternates outgoing packets between each NIC.

A : For the single flow, any bandwidth gain in the direction from the switch to the client is highly unlikely.

...

So any bandwidth gain for single flow is HIGHLY unlikely. You may see some gain using multiple flows, depending on hashing policy the switch uses and the server configured (see xmit_hash_policy for what's available, you will need policy policy which includes L4 information to gain anything between two specific hosts).

balance-alb

Açıklaması şöyle

Assuming your switch plays nice with it, you probably want balance-alb mode, as it will give you the best overall link utilization spread across the links. However, some network hardware does not like how that mode handles receive load balancing, in which case you almost certainly instead want 802.3ad mode (if your switch supports it, and all the bound interfaces are connected to the same switch) or balance-xor (does the same thing, but the switch has to infer what’s going on, so does not work as well in all cases).

Mac OS X brew komutu

Resmi olmayan package manager. Eskiden Mac OS  için paket yöneticisi olarak MacPorts veya Fink kullanılırdı. brew kullanmak daha kolay

Brew Kurulumu

Şöyle yaparız

/bin/bash \
  -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

brew kurulduktan sonra path'e eklemek lazım.  "~/.zshrc" dosyasında şöyle yaparız

export PATH="$PATH:/opt/homebrew/bin/"

install seçeneği

Yeni paketi kurar

Örnek

brew install gnuplot

services seçeneği

Örnek

Şöyle yaparız

> brew install redis
> brew services start redis

tap seçeneği

Örnek

Şöyle yaparız

brew tap hazelcast/hz

brew install hazelcast@5.2.1

supervisor

Kurulum

Kurmak için şöyle yaparız

apt-get install -y supervisor

Örnek

Şöyle yaparız. Burada sadece son iki bölüm bizim uygulamamız için gerekli tanımlardır

[unix_http_server]
file=/tmp/supervisor.sock   ; the path to the socket file
;chmod=0700                 ; socket file mode (default 0700)
;chown=nobody:nogroup       ; socket file uid:gid owner
username=admin              ; default is no username (open server)
password=admin              ; default is no password (open server)

[inet_http_server]         ; inet (TCP) server disabled by default
port=127.0.0.1:9001       ; ip_address:port specifier, *:port for all iface
username=admin              ; default is no username (open server)
password=admin               ; default is no password (open server)

[supervisord]
logfile=/tmp/supervisord.log ; main log file; default $CWD/supervisord.log
logfile_maxbytes=50MB        ; max main logfile bytes b4 rotation; default 50MB
logfile_backups=10           ; # of main logfile backups; 0 means none, default 10
loglevel=info                ; log level; default info; others: debug,warn,trace
pidfile=/tmp/supervisord.pid ; supervisord pidfile; default supervisord.pid
nodaemon=true               ; start in foreground if true; default false
minfds=1024                  ; min. avail startup file descriptors; default 1024
minprocs=200                 ; min. avail process descriptors;default 200
;umask=022                   ; process file creation umask; default 022
user=root            ; setuid to this UNIX account at startup; recommended if root

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket

[program:customer-service]
command=java -jar /app/customer-service-0.0.1-SNAPSHOT.jar
startsecs=10
directory=/app
stdout_logfile=/app/customer-service.log
stdout_logfile=/app/customer-service.err


[program:lucky-winner-service]
command=java -jar /app/lucky-winner-0.0.1-SNAPSHOT.jar
startsecs=10
directory=/app
stdout_logfile=/app/lucky-winner-service.log
stdout_logfile=/app/lucky-winner-service.err

Quick Emulator - QEMU

Giriş

Açıklaması şöyle

QEMU was the brainchild of Fabrice Bellard.

QEMU Nedir

Açıklaması şöyle

a fast full-system emulator translating between pretty much every processor architecture.

Açıklaması şöyle

How emulators worked before QEMU

I first heard of QEMU around 2006. I was into computer architecture from my early days, and most emulators at the time would simply naively translate instructions from into the emulated architecture at runtime.

QEMU, on the other hand, employed a “Tiny Code Generator” to translate instructions through JIT compilation. It wasn’t as fast as running natively, but for a variety of applications it was fast enough and for many use cases it felt like pure miracle. QEMU also had its own emulation for common physical devices you would expect to find, its own disk image format, and much more.

ssh-keyscan komutu

Giriş

Açıklaması şöyle

ssh-keyscan is a utility for gathering the public SSH host keys of a number of hosts. It was designed to aid in building and verifying ssh_known_hosts files, the format of which is documented in sshd(8). ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts.

Örnek

Şöyle yaparız

# Delete the entry for the old IP
ssh-keygen -R $OLD_IP

# Add entry for the new IP
ssh-keyscan $NEW_IP >> ~/.ssh/known_hosts

-H seçeneği

Çıktıyı hashed formatta almak için kullanılır

Örnek

Şöyle yaparız

ssh-keyscan -H $NEW_IP >> ~/.ssh/known_hosts

rtcwake komutu - Bilgisayarı Kapatır ve Belirtilen Zamanda Uyandırır

-m seçeneği

mode olarak şunlar kullanılabilir

- standby

- freeze

- mem

- disk

- off

- no : suspend etmez

- on

- disable

- show

Örnek

Şöyle yaparız. Saat 16'da bilgisayarı uyandırır

sudo rtcwake -m no -l -t "$(date -d 'today 16:00:00' '+%s')"

chrontab'da kullanmak için şöyle yaparız

@reboot root /usr/bin/rtcwake -m no -l -t "$(/usr/bin/date -d 'today 16:00:00' '+%s')"

-s seçeneği

Kaç saniye sonra uyandırılacağını belirtir

Örnek

Şöyle yaparız. Saat 23'te suspend eder ve 12 saat sonra uyandırır

0 23 * * *  root /usr/bin/rtcwake -m disk -s 60*60*12

init.d Nedir

init.d vs systemd

Hangisini kullandığımızı anlamanın en kolay yolu şöyle. Eğer gerçekten systemd kullanılıyorsa ayrıca systemctl komutu da olmalı. WSL Linux'ta systemd kullanılıyor gibi görünse de aslında kullanmıyor

$ file /sbin/init
/sbin/init: symbolic link to /lib/systemd/systemd

Örnek 

/etc/init.d altında bir dosya yaratırız. Şöyle yaparız

cd /etc/init.d
touch mysqld_multi
chmod +x /etc/init.d/mysqld_multi

Bu dosyaya çalışmasını istediğimiz komutları yazarız. Daha sonra servisi bilgisayar açılırken çalışır hale getiririz. Şöyle yaparız

# Add mysqld_multi service to the default runlevels with the following command:

update-rc.d mysqld_multi defaults

pidstat komutu

Giriş

Açıklaması şöyle

A common (and pretty good) answer is to use top. But there is one issue with top it’s difficult to copy the output to a scratch pad where you keep details about your debugging or if you’d want to send the output to someone else.

To get an output which is easy to read and copy friendly, run pidstat | head -n 20 or e.g. pidstat -u 5 60 to get updates every 5 seconds for the next 6 seconds.

Örnek

Şöyle yaparız

$ pidstat | head -n 20
Linux 5.13.0-40-generic (tsunami)       05/03/2022      _x86_64_        
(8 CPU)
UID       PID    %usr %system  %wait    %CPU   CPU  Command
  0         1    0.00    0.01   0.00    0.01     7  systemd
  0         2    0.00    0.00   0.00    0.00     1  kthreadd
  0        12    0.00    0.00   0.00    0.00     0  ksoftirqd/0
  0        13    0.00    0.06   0.02    0.06     7  rcu_sched
  0        14    0.00    0.00   0.00    0.00     0  migration/0
  0        19    0.00    0.00   0.00    0.00     1  migration/1
  0        20    0.00    0.00   0.00    0.00     1  ksoftirqd/1

Açıklaması şöyle

%usr to find high user space time allocation. This would indicate an application in need of scaling for example.

%system to find high system / kernel space time allocation. Remember that this could be due to driver issues or other similar kernel level problems.

%wait would yet again indicate I/O latencies.

mpstat komutu

-P seçeneği

Açıklaması şöyle

mpstat -P ALL 1 will give you statistics similar to vmstat but with a per CPU breakdown.

Örnek

Şöyle yaparız

$ mpstat -P ALL 1
15:11:50
Linux 5.13.0-40-generic (tsunami)       05/03/2022      _x86_64_        
(8 CPU)
CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %idle
all    6.67    0.00    2.52    0.00    0.00    0.13    0.00  90.69
  0    4.00    0.00    2.00    0.00    0.00    0.00    0.00  94.00
  1   10.10    0.00    4.04    0.00    0.00    0.00    0.00  85.86
  2    8.08    0.00    1.01    0.00    0.00    0.00    0.00  90.91
  3    4.04    0.00    1.01    0.00    0.00    0.00    0.00  94.95
  4    4.04    0.00    3.03    0.00    0.00    1.01    0.00  91.92
  5   10.00    0.00    1.00    0.00    0.00    0.00    0.00  89.00
  6    7.07    0.00    3.03    0.00    0.00    0.00    0.00  89.90
  7    6.00    0.00    5.00    0.00    0.00    0.00    0.00  89.00

uptime komutu

Örnek

Şöyle yaparız

$ uptime
11:19:45 up  1:43, 37 users,  load average: 2.44, 2.35, 2.40

Açıklaması şöyle

The last three numbers indicate the load average for the last 1, 5, & 15 minutes.

/dev/stdin Dosyası

Giriş

Açıklaması şöyle. Yani Linux'ta bu dosyadan okumak aslında stin'in tüketmez.

The /dev/stdin, /dev/stdout, /dev/stderr and /dev/fd/x are special files that were added to various Unices in the 80s so the file descriptors of a process could be referred to by name.

On those Unices, opening /dev/stdin (a character device file) got you a file descriptor that was a duplicate of stdin (fd 0), so the equivalent of doing dup(0)³.

When Linux added a similar feature in the '90s, the implementation was significantly different and incompatible.

On Linux, those /dev/std..., /dev/fd/x files are not special character device files but symbolic links to /proc/self/fd/x, and those in turn are magic symlinks to the file that is opened on fd x.

So, opening /dev/stdin there is not the same as dup(0); it's opening the original file anew assuming you have permissions to do so, and from the start (not at the offset stdin is currently pointing within the file) and in the requested mode. That also means that if you're reading/writing/seeking from the fd you get which is independent from fd 0, you're not updating stdin's offset within the file.

Cygwin copied the Linux way when it added a similar feature in the 2000s. Most if not all other Unices behave the original way (when they support those /dev/fd/x at all).

FreeBSD Nedir

Giriş

Açıklaması şöyle

FreeBSD underpins macOS. This is not Linux, but it is Unix, so they have a reasonable degree of similarity, especially in terms of commands, shell, etc. However, there is a fair degree of divergence under the covers: macOS does not offer the same fine-grain control. This can negatively impact you if you intend to do low-latency development. For example, you want to control which cores your threads are pinned to. 

cgcreate komutu - Grup Yaratma

Giriş

1. cgcreate ile grup yarattıktan sonra cgset komutu ile gruba kaynak ayrılır

2. cgexec ile uygulamalar çalıştırılırken grupları belirtilir.

-g seçeneği

Örnek - memory

Şöyle yaparız. Burada "/sys/fs/cgroup/memory/my-process" isimli dizinde belleği sınırlandırılmış kaynaklar görülür

sudo cgcreate -g memory:my-process

Bu kaynağı kullanan bash yaratmak için şöyle yaparız

$ sudo cgexec -g memory:my-process bash
root@cgroup:~#

Bu kayanğı kullanan ve farklı bir namespace içinde  bash yaratmak için şöyle yaparız

$ sudo cgexec -g cpu,memory:my-process \
  unshare -uinpUrf --mount-proc \
  sh -c "/bin/hostname my-process && chroot mktemp -d /bin/sh"

Örnek - cpu

Şöyle yaparız. Burada tarayıcıya az işlemci gücü ayrılıyor

# you might need to create the right mountpoints first
sudo mkdir /sys/fs/cgroup/cpu
sudo mount -t cgroup -o cpu cpu /sys/fs/cgroup/cpu

# Create a group that controls `cpu` allotment, called `/browser`
sudo cgcreate -g cpu:/browser
# Create a group that controls `cpu` allotment, called `/important`
sudo cgcreate -g cpu:/important

# allocate few shares to your `browser` group, and many shares of the CPU time to the
# `important` group.
sudo cgset -r cpu.shares=128 browser
sudo cgset -r cpu.shares=1024 important


cgexec -g cpu:browser chromium --incognitio
cgexec -g cpu:important make -j10 #or whatever

-r seçeneği

Grubu siler

Örnek

Şöyle yaparız

# Creating a cgroup.
sudo cgcreate -g cpu,memory:$UUID

# Set up a limit memory for this cgroup.
sudo cgset -r memory.limit_in_bytes=100000000 $UUID

# Set up a limit CPU for this cgroup.
sudo cgset -r cpu.shares=512 $UUID && 
sudo cgset -r cpu.cfs_period_us=1000000 $UUID && 
sudo cgset -r cpu.cfs_quota_us=2000000 $UUID

# Creating a container.
sudo cgexec -g cpu,memory:$UUID unshare -uinpUrf --mount-proc sh 
  -c "/bin/hostname $UUID && chroot $ROOTFS /bin/sh"

# Deleting this cgroup.
sudo cgdelete -r -g cpu,memory:$UUID

Namespace Nedir? - Sanal Bir Ortam Yaratır

Giriş

Açıklaması şöyle. Namespace'ler sayesinde LCX ve Docker gibi container teknolojileri mümkün oldu.

The building blocks of multi-tenancy are Linux namespaces, the very technology that makes LXC, Docker, and other kinds of containers possible.

Açıklaması şöyle

Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources.

Sanal bir ortam yaratılması gibi düşünülebilir. Namespace'ler şöyle. Her birisi farklı işe yararlar.

1. Network Namespace

2. PID (Process Id) Namespace

3. Mount Namespace

4. Unix Time-sharing System (UTS) Namespace

5. User Namespace

Network Namespace

Açıklaması şöyle

The networking namespace allows us to run the program on any port without conflict with other processes running on the same computer.

Açıklaması şöyle.

Only allows access to certain network devices. It has its own firewall, route rules, and socket port numbers. As an outcome, it is not able to see all traffic or contact all endpoints

PID (Process Id) Namespace

Açıklaması şöyle. Farklı PID Namespace içindeki process'ler birbirlerini "ps aux" komutu ile göremezler. Process'leri izole eder

... the PID namespace makes it so that a process can only see PIDs in its own namespace, and therefore cannot send kill signals to random processes on the host.

Açıklaması şöyle

This type of namespace will isolate processes from each other. One process cannot see others, and also same process ID can exist in multiple namespaces. Such as — Process ID 1 can exist multiple times, but once in every namespace.

Mount Namespace

Açıklaması şöyle

Mount namespace allows you to mount and unmount the filesystem without affecting the host filesystem.

Açıklaması şöyle.

Mount namespace: has an independent list of mount points seen by the processes in the corresponding namespace. This means that we can mount and unmount filesystems in a mount namespace without affecting the host filesystem.

User Namespace

Açıklaması şöyle.

A different set of user ids and group ids are used. Such as — A user (0) inside one namespace can be different from the user (0) inside another namespace.

unshare komutu

Yeni bir PID (Process Id) Namespace içinde bash çalıştırmak için  şöyle yaparız

sudo unshare --fork --pid --mount-proc bash