Namespaces

Overview

Namespaces partition global kernel resources so a process sees its own isolated view of the system. Each namespace type isolates a specific resource; containers use a set of namespaces together.

Namespace Types

pid isolates process IDs and process trees. net isolates network interfaces, routing tables, and ports. mnt isolates mount points and filesystem view. uts isolates hostname and domain name. ipc isolates System V IPC and POSIX message queues. user isolates user and group IDs (enables root inside a container). cgroup isolates the view of cgroup hierarchies.

How It Works (Kernel Facilities)

clone() creates a process with new namespaces (flags: CLONE_NEW*). unshare() detaches the calling process from a namespace. setns() joins an existing namespace via a file descriptor. Namespace handles are visible under /proc/<pid>/ns/.

Common Tools

unshare to create new namespaces for a process. nsenter to enter the namespaces of a target PID. lsns to list namespaces.

Example: Create a New UTS + Mount Namespace

$ sudo unshare --uts --mount --fork /bin/bash
$ hostname container1
$ mount -t tmpfs tmpfs /mnt

Security Notes

Namespaces isolate visibility, not full trust boundaries by themselves. Combine namespaces with Linux/Containerization/Cgroups, Linux/Containerization/Capabilities, and Linux/Containerization/LSM for defense-in-depth.

Related

• Linux/Containerization
• Linux/Kernel