Frequently Asked Question

What are Linux namespaces and which ones do containers use?

A namespace is a kernel feature that gives a process its own private view of one kind of global resource. There are eight of them today. The mount namespace gives a process its own filesystem mount table, so it can have an entirely different idea of what / contains. The PID namespace renumbers processes from one, so the container's first process is PID 1 and cannot see the host's processes at all. The network namespace gives the process its own loopback, its own routing table, its own firewall rules, and a private set of interfaces. The UTS namespace isolates the hostname and domain name. The IPC namespace separates System V semaphores and message queues. The user namespace lets a process see itself as UID 0 inside while being a normal user outside. The cgroup namespace hides which cgroups the process belongs to from a container's point of view. The time namespace, the newest, lets a container have its own monotonic and boot clocks.

A container runtime such as runc combines several of these, typically all of them; with cgroup limits, capability drops, a seccomp filter, and a pivoted root filesystem to produce what users see as "a container". You can drive the syscalls yourself with unshare(1): unshare --mount --uts --ipc --pid --net --fork bash gives you most of a container in one line, with no Docker involved.