ns subsystem) are a feature of the kernel designed to enable compartmentation of a running system for different workloads.
As of Linux 5.6:
- PID (
pid) limits visibility of processes to those within the namespace. The first process created in a namespace is PID 1, and orphaned processes will be reparented to it.
- Network (
net) virtualises network interfaces, by default only providing a loopback (
lo) device. Each NIC is present in only one namespace, though it may be moved. Each namespace has its own private IP addresses, routing table, socket list, and firewall.
- Mount (
mnt) prevent propagation of mountpoints between namespaces (outside of shared subtrees). Enabled with
- IPC (
ipc) isolates processes from one another in SysV-style IPC mechanisms, e.g. limiting shared memory segments to a group of related processes.
- UTS (
uts) allows virtualisation of hostname and domain name.
- User ID (
user) allows privilege isolation and segregation of users across sets of processes. This is useful for allowing containers apparent administrative rights without elevated access to other processes running on the host. It's achieved through UID mapping.
- cgroups (
cgroup) hides the identity of a process's control group.
- Time (
time) allows presentation of different system times to processes.
Manipulation of namespaces is performed using system calls:
- Flags passed to
clone()determine which namespaces a process is migrated to.
unshare()allows existing tasks to disassociate parts of their execution context.
setns()enters a namespace specified by an FD.
There are three means of referencing a namespace:
- A process can belong to the namespace.
- An open FD against a namespace's file in
- A bind mount against a namespace's file.
Namespaces are automatically deleted upon the termination of the last reference.