Linux namespaces

Namespaces are a Linux kernel feature that isolates and virtualizes resources (PID, hostname, userid, network, ipc, filesystem) of a collection of processes.

General

Which resource is isolated depends on the kind of the namespace, but the general functionality is the same across all namespace kinds: Every process is associated with a namespace and can only see the resources associated with that namespace. This way each process (or group thereof) can have a unique view on the resource. Namespaces can be created and joined. After the system booted all process belong to a single namespace.

The Linux developers use the term namespace for both, namespace kinds and namespaces themselves, while they are two different things (analogous to the difference between a class and an instance).

Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.^[1]

History

The Linux Namespaces started out with only the mount namespace kind in the kernel version 2.4.19 in 2002. Most of the work on the current namespace kinds was finished in kernel version 3.8.

Representation

Each process is assigned a symbolic link per namespace kind in /proc/<pid>/ns/. This symlink is handled specially by the kernel, the inode number pointed to by this symlink is the same for each process in this namespace, this way each namespace is uniquely identified by the inode number pointed to by one of its symlinks. Reading the symlink via readlink returns a string containing the namespace kind name and the inode number of the namespace.

Syscalls

Three syscalls can directly manipulate namespaces:

• clone, flags to specify which new namespace the new process should be migrated to.
• unshare, flags to specify which new namespace the current process should be migrated to.
• setns, enters the namespace specified by a fd.

Destruction

If a namespace is no longer referenced, it will be deleted, the handling of the contained resource depends on the namespace kind. Namespaces can be referenced in three ways:

1. a process belonging to the namespace
2. an open filedescriptor to the namespace's file (/proc/<pid>/ns/<ns-kind>)
3. a bind mount of the namespace's file (/proc/<pid>/ns/<ns-kind>)

Namespace kinds

There are currently (since kernel version 3.8) 6 kinds of namespaces, there were a few others proposed, for example a time namespace patch was proposed, but not merged into the kernel. syslog namespace.

mnt

mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces (using shared subtrees, it is possible to propagate mount points between namespaces^[2]).

The mount namespace kind was the first one to be introduced, at a time nobody thought of other namespaces, that's why its clone flag is CLONE_NEWNS.

pid

assigns each process a new PID, allows for a different init process (inside of this namespace).

process get a PID and can be seen from process in the parent namespace too.

can be nested

aids in process migration between different hosts

net

cannot be nested, each netns is attached to a userns

The whole network stack

ipc

System V IPC identifiers

POSIX message queue filesystem

uts

hostname

domainname

user

uids and gids

Permissions for namespace of the other kinds are checked in the user namespace, they got created in.

Adoption

Various container software use Linux namespaces in combination with cgroups to isolate their processes, including Docker^[3] and LXC.

See also

• cgroups

References

External links

• namespaces manpage
• Linux kernel Namespaces and cgroups by Rami Rosen
• Namespaces and cgroups, the basis of Linux containers (including cgroups v2) - slides of a talk by Rami Rosen, Netdev 1.1, Seville, Spain (2016)
• Containers and Namespaces in the Linux Kernel by Kir Kolyshkin