SH
SHELL
AI Powered Learning Portal
The Magic of Isolation: Intro to Namespaces
·TechSoftware Development

The Magic of Isolation: Intro to Namespaces

How does Docker actually work? Peek behind the curtain of Linux Namespaces. Learn how the kernel creates the 'Illusion' of a private system for a single process. Understand PID, Network, and Mount namespaces.

linuxcontainersdockernamespaceskernelsysadmin

Namespaces: The Foundation of Containers

When you run a Docker container, it feels like a whole separate computer. It has its own IP address, its own root user, and its own process list. But if you look from the outside (the host), it's just a normal process.

How is this possible?

Linux Namespaces.

Namespaces are a kernel feature that partitions kernel resources. When a process is placed in a namespace, it can only see the resources assigned to that namespace. It is "Isolated" from the rest of the system. In this lesson, we will explore the 6 main types of namespaces that make containers possible.

2. The 6 Pillars of Isolation

I. PID Namespace (Process ID)

This allows a container to have its own Process 1 (init). Inside the container, you see only your own apps. On the host, the kernel sees the app as (for example) Process 5402.

II. NET Namespace (Network)

The container gets its own virtual network stack: its own routing table, firewall rules, and IP address.

III. MNT Namespace (Mount)

This is the most famous. It allows the container to have its own root filesystem (/). To the container, /etc/passwd is the one inside the container, not the host's.

IV. UTS Namespace (Hostname)

Allows the container to have its own hostname (e.g., web-server-01) separate from the host machine.

V. IPC Namespace (Communication)

Prevents processes in different containers from talking to each other through shared memory or message queues.

VI. USER Namespace

Allows a user to be root inside the container but a completely unprivileged user on the host. This is the ultimate security layer.

3. Practical: Seeing the Namespaces

You can see which namespaces your current shell belongs to.

# List the 'Inodes' for your current namespaces
ls -l /proc/self/ns

If you start a container, you will see it has different Inode numbers for these files, proving it is "Elsewhere" in the kernel's mind.

4. The 'unshare' Command: Creating Your Own "Container"

You don't need Docker to create isolation. You can use the unshare command.

# Start a bash shell that has its own HOSTNAME
sudo unshare --uts bash

# Change the hostname
hostname "isolated-box"

# Verify! (The host's hostname remains unchanged)
hostname

5. Identifying Namespace Leaks

If a container is hacked, a common goal is "Escape." This usually happens if a namespace wasn't properly isolated. For example, if a container shares the host's network namespace (--net=host), a hacker in the container can sniff all the host's traffic.

6. Example: A Namespace Auditor (Python)

How many virtual "Worlds" are running on your server? Here is a Python script that counts the unique namespaces currently active in the kernel.

import os

def count_active_namespaces():
    """
    Counts unique namespace IDs across all running processes.
    """
    ns_types = ["uts", "ipc", "net", "pid", "mnt", "user"]
    print("--- Active Kernel Namespaces ---")
    
    for ns_type in ns_types:
        unique_ns = set()
        # Look through all process folders in /proc
        for pid in [p for p in os.listdir("/proc") if p.isdigit()]:
            try:
                ns_link = os.readlink(f"/proc/{pid}/ns/{ns_type}")
                unique_ns.add(ns_link)
            except (OSError, FileNotFoundError):
                continue
        
        print(f"{ns_type.upper():5} | Unique Worlds: {len(unique_ns)}")

if __name__ == "__main__":
    count_active_namespaces()

7. Professional Tip: Don't run as '--privileged'

In Docker, the --privileged flag tells the kernel: "Remove all namespace protections and give this container direct access to the host's hardware." Never do this in production. It effectively turns your container into a root shell on your host.

8. Summary

Namespaces are the "Magic Trick" of Linux.

  • They create the Illusion of a private OS.
  • There are 6 main types of isolation (PID, NET, MNT, etc.).
  • unshare is the tool to create them manually.
  • /proc/[PID]/ns/ is the database of current isolation.
  • Namespaces are the reason containers are "Lightweight" (they share the same kernel).

In the next lesson, we will look at the other half of the container equation: Resource Policing with Cgroups.

Quiz Questions

  1. Why does a process inside a container see itself as PID 1?
  2. What is the difference between a virtual machine and a container in terms of kernel usage?
  3. Which namespace is responsible for giving a container its own IP address?

Continue to Lesson 2: Resource Policing—Mastering Cgroups.

Previous LessonThe Atomic Level: Profiling with perf and strace
Next LessonThe Resource Police: Mastering Cgroups

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn