Skip to content

400 Software Development

Linux kernel namespaces

1. Operating System Fundamentals

  • An operating system mediates access to hardware.
  • Applications never touch hardware directly.
  • Applications interact with the OS using system calls.
  • The kernel decides what resources a process can see and use.

Key idea:

The kernel is the authority.
Applications ask questions; the kernel decides the answers.

2. Processes

  • A process is a running program.
  • Each process has a process ID (PID).
  • Normally, the OS maintains one global process tree.
  • Processes can normally see other processes on the system (subject to permissions).

3. What a Namespace Is

A namespace is a kernel feature.

Definition:

A namespace is a rule inside the kernel that says:
“When these processes ask about this resource, give them a different answer.”

Or equivalently:

“For this group of processes, show them their own version of a global system resource.”

Important: - Nothing is emulated. - Nothing is intercepted in user space. - The kernel simply answers system calls differently.

4. Core Linux Namespaces

PID Namespace — Processes

  • Provides a separate process ID space.
  • Processes only see:
    • Themselves
    • Their children
  • PID numbers restart at 1 inside the namespace.
  • The OS still has a global process tree; it’s just not visible.

NET Namespace — Networking

  • Networking is accessed via system calls like socket, bind, and listen.
  • Normally, there is one:
    • Network stack
    • Set of interfaces
    • Port table

With a NET namespace: - Each namespace has its own: - Network stack - Interfaces - IP addresses - Ports

Result: - The same port number can be used in multiple namespaces without conflict.

MNT (Mount) Namespace — Filesystems

  • The OS normally has one mount table.
  • Everyone sees the same / (root filesystem).

With a mount namespace: - Each namespace has its own mount table. - / can point to a different filesystem. - Files still exist; only the mount mapping differs.

UTS Namespace — System Identity

  • Isolates:
    • Hostname
    • Domain name
  • Each namespace can have its own hostname.

IPC Namespace — Inter-Process Communication

  • Isolates:
    • Shared memory
    • Semaphores
    • Message queues
  • Processes can only communicate with others in the same IPC namespace.

USER Namespace — Users and Privileges

  • Isolates user and group IDs.
  • Allows UID mapping:
    • A process can be “root” inside the namespace
    • While being unprivileged on the host
  • Important for security and rootless containers.

5. cgroups (Control Groups)

Namespaces control visibility.
cgroups control usage. cgroups limit and account for: - CPU - Memory - Disk I/O - Network bandwidth

Simple rule: - Namespaces → what a process can see - cgroups → how much it can use

See also