A namespace is a Linux kernel feature that isolates a particular global resource so that processes in one namespace see a different instance than processes in another. Linux has several namespace types, each covering a different resource:
- mount (mnt): filesystem mount points
- PID: process IDs (PID 1 inside a namespace is not PID 1 outside)
- network (net): network devices, IPs, ports, routing
- UTS: hostname and domain name
- IPC: System V IPC, POSIX message queues
- user: UIDs and GIDs; enables rootless containers
- cgroup: cgroup root view
- time: clocks (added in 5.6)
Namespaces are created with unshare or clone and inspected via /proc/<pid>/ns/:
sudo unshare -n -m bash # new network and mount namespaces
ip netns add testns # named network namespace
lsns # list namespaces
nsenter -t <pid> -a # enter all of a process's namespaces
Combined with cgroups, which control how much of a resource a process can use, namespaces are the kernel foundation on which container runtimes (Docker, Podman, containerd) build their isolation. A "container" is essentially a process (or group of them) running in a fresh set of namespaces with a private cgroup hierarchy.
Discussed in:
- Chapter 17: Containers and Virtualisation · The Kernel Features Behind Containers
Also defined in: Textbook of Linux
