A namespace is a Linux kernel feature that isolates a particular global resource so that processes in one namespace see a different instance than processes in another. Linux has several namespace types, each covering a different resource:
- mount (mnt) — filesystem mount points
- PID — process IDs (PID 1 inside a namespace is not PID 1 outside)
- network (net) — network devices, IPs, ports, routing
- UTS — hostname and domain name
- IPC — System V IPC, POSIX message queues
- user — UIDs and GIDs; enables rootless containers
- cgroup — cgroup root view
- time — clocks (added in 5.6)
Namespaces are created with unshare or clone and inspected via /proc/<pid>/ns/:
sudo unshare -n -m bash # new network and mount namespaces
ip netns add testns # named network namespace
lsns # list namespaces
nsenter -t <pid> -a # enter all of a process's namespaces
Combined with cgroups, which control how much of a resource a process can use, namespaces are the kernel foundation on which container runtimes (Docker, Podman, containerd) build their isolation. A "container" is essentially a process (or group of them) running in a fresh set of namespaces with a private cgroup hierarchy.
Discussed in:
- Chapter 17: Containers and Virtualisation — The Kernel Features Behind Containers
Also defined in: Textbook of Linux