linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Processes & resources/namespaces

kb/processes ── Processes & resources ── advanced

Linux namespaces

Namespaces are a kernel mechanism that gives a process its own isolated view of a resource (network, mount points, PID, UID, IPC, hostname, time). Every container is built on them.

view as markdownaka: linux-namespaces, ns, namespace

Why namespaces exist

Containers are not virtual machines. They share one kernel with the host. Isolation comes from two mechanisms working together:

  • cgroups limit how much resource a process may use
  • namespaces limit what a process can see

The seven types

namespacewhat it isolatesunshare/clone flag
mntmount points (its own set of mounted filesystems)CLONE_NEWNS
netinterfaces, routes, ARP, sockets, firewallCLONE_NEWNET
pidthe PID tree; PID 1 in the ns is not PID 1 on the hostCLONE_NEWPID
userUID/GID; root inside maps to unprivileged outsideCLONE_NEWUSER
utshostname, domainnameCLONE_NEWUTS
ipcSystem V IPC, shared memoryCLONE_NEWIPC
cgroupview of the cgroup tree (you see only your own subtree)CLONE_NEWCGROUP
timeCLOCK_MONOTONIC offset (Linux 5.6+)CLONE_NEWTIME

How they get created

Three ways:

  1. clone() / unshare() syscall: a program asks the kernel for a new namespace
  2. ip netns add NAME: creates a network namespace and mounts /run/netns/NAME so you can refer to it later (see veth-pair)
  3. unshare CMD: a wrapper that does unshare() plus exec()

What you see in /proc/<pid>/ns/

Each process is a set of namespace handles under /proc/<pid>/ns/:

bash
ls -l /proc/self/ns/
# net   -> 'net:[4026531992]'
# mnt   -> 'mnt:[4026531840]'
# pid   -> 'pid:[4026531836]'
# ...

The number in brackets is the inode id of the namespace. If two processes have the same id for net, they are in the same network namespace. This is the first way to diagnose which namespace you are in.

To enter the existing namespace of another process, use nsenter:

bash
sudo nsenter -t <pid> -n -p ip addr   # run ip addr in the net+pid ns of process <pid>

Connection to Docker

When you run docker run image, Docker:

  1. calls unshare() with every flag except time
  2. creates a veth-pair, leaves one end on the host in a bridge, and puts the other end in the new net namespace
  3. mounts an overlay filesystem as the process root
  4. places the process in cgroups for limits
  5. runs exec on the binary from the image

That is all. There is no VM and no hypervisor here. The isolation comes from namespaces plus cgroups.

§ команды

bash
ls -l /proc/self/ns/

Every namespace the current process belongs to

bash
sudo ip netns add red && ip netns list

Create a new network namespace and list them all

bash
sudo ip netns exec red ip addr

Run a command inside the named network namespace

bash
sudo unshare --net --uts -- bash

Start bash in fresh net+uts namespaces

bash
sudo nsenter -t 1234 -a

Enter ALL namespaces of process 1234 (-a: all)

§ см. также

  • process-and-pidProcess and PIDA process is a running program with its own PID, memory, open descriptors, and UID. Every process forms a tree rooted at init (PID 1).
  • cgroupscgroups (v2)cgroups v2 is a hierarchical virtual FS under `/sys/fs/cgroup` that the kernel uses to limit CPU, memory, and I/O for processes. Docker, k8s, and systemd write here.
  • veth-pairveth pairA veth pair is two linked virtual Ethernet interfaces. Whatever enters one end exits the other. It is the basic building block of all Linux container networks.
  • runc-and-runscrunc, runsc, kata: container runtimesrunc is the standard OCI runtime: namespaces+cgroups+seccomp. runsc/gVisor is a userspace kernel for extra isolation. kata is a lightweight VM per container. Performance and isolation trade off against each other.

§ упоминается в уроках

  • ›advanced-01-namespaces
  • ›beginner-06-users-and-groups
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies