Skip to content

Linux Namespace

Linux Namespace is a kernel mechanism used to modify the view of a process's execution environment, primarily serving as a method for isolation^[400-devops-06-kubernetes-k8s-paas-docker.md]. It is often combined with [[Cgroups]]—which handle resource constraints—to create the fundamental boundary for [[Containers]]^[400-devops-06-kubernetes-k8s-paas-docker.md]. Containers are essentially special processes isolated by these technologies^[400-devops-06-kubernetes-k8s-paas-docker.md].

Types of Namespaces

Linux provides several specific namespaces to isolate different process contexts:

  • PID Namespace: Isolates process IDs. A process can have PID 1 inside this namespace while retaining a different PID on the host^[400-devops-06-kubernetes-k8s-paas-docker.md].
  • Mount Namespace: Isolates filesystem mount points, allowing each container to see a different file system hierarchy^[400-devops-06-kubernetes-k8s-paas-docker.md].
  • Network Namespace: Isolates network resources (stack, ports, etc.)^[400-devops-06-kubernetes-k8s-paas-docker.md].
  • IPC Namespace: Isolates Inter-Process Communication resources (System V IPC and POSIX message queues)^[400-devops-06-kubernetes-k8s-paas-docker.md].
  • UTS Namespace: Isolates hostname and domain names^[400-devops-06-kubernetes-k8s-paas-docker.md].
  • User Namespace: Isolates user and group IDs^[400-devops-06-kubernetes-k8s-paas-docker.md].

APIs and Usage

The manipulation of namespaces is handled through specific system calls and flags. To determine which type of isolation is required, developers use flags such as CLONE_NEWIPC, CLONE_NEWNS, CLONE_NEWNET, CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWUTS^[400-devops-06-kubernetes-k8s-paas-docker.md].

There are three primary system calls involved in namespace management^[400-devops-06-kubernetes-k8s-paas-docker.md]:

  1. clone(): Creates a new process. If called with namespace flags (e.g., CLONE_NEWPID), it creates the new process within a new namespace^[400-devops-06-kubernetes-k8s-paas-docker.md].
  2. setns(): Allows an existing process to join an already existing namespace^[400-devops-06-kubernetes-k8s-paas-docker.md].
  3. unshare(): Isolates parts of the execution context for the current process without starting a new one^[400-devops-06-kubernetes-k8s-paas-docker.md].

Role in Containers

In the context of [[Docker]], the engine enables Linux Namespace configurations to restrict the process's view^[400-devops-06-kubernetes-k8s-paas-docker.md]. For instance, when a container runs /bin/sh, it typically becomes PID 1 inside that container, isolated from the host's process table^[400-devops-06-kubernetes-k8s-paas-docker.md]. Unlike a [[Hypervisor]], which simulates hardware for a full Guest OS, namespaces share the host kernel but provide an isolated "view" or environment for the process^[400-devops-06-kubernetes-k8s-paas-docker.md].

Sources

^[400-devops-06-kubernetes-k8s-paas-docker.md]