Skip to content

Linux Namespace isolation

Linux Namespace isolation is a kernel mechanism used to modify the view of a process's execution environment. It is a fundamental technology that enables containerization by creating "boundaries" that separate processes from the host system and from each other^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

While [[Cgroups]] are used to enforce resource constraints, Namespaces are responsible for isolating specific system resources, effectively applying a "bluff" (障眼法) that allows processes to see a virtualized environment distinct from the global system context^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

Namespace Types

Linux provides several specific namespaces to isolate different aspects of the process context^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]:

  • PID Namespace: Isolates process IDs. A process can have PID 1 inside the namespace while having a different PID on the host.
  • Mount Namespace: Isolates filesystem mount points, allowing each container to see a different file system hierarchy.
  • Network Namespace: Isolates network resources (interfaces, routing tables, etc.).
  • UTS Namespace: Isolates hostname and domain name.
  • IPC Namespace: Isolates Inter-Process Communication mechanisms (System V IPC and POSIX message queues).
  • User Namespace: Isolates User IDs and Group IDs.

System APIs

The Linux kernel exposes three primary system calls for interacting with namespaces^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]:

  • clone(): Creates a new process. This is the most common method for creating a new namespace by passing flags like CLONE_NEWPID or CLONE_NEWNET to the flags parameter^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].
  • setns(): Allows a running process to join an existing namespace. It requires a file descriptor pointing to the specific namespace entry (typically found in /proc/[pid]/ns/)^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].
  • unshare(): Allows a process (or thread) to disassociate parts of its execution context from the parent. It is similar to clone() but operates on the current process without creating a new one^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].
  • [[Cgroups]]
  • [[Containers]]
  • [[Rootfs]]

Sources

^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]