In a previous article, I introduced the abstract concept of containers, and how these are built from namespaces and cgroups. The following series of articles looks at these capabilities in a little more detail, starting with namespaces.

A namespace is effectively a means of isolating a set of names or identifiers, and is very familiar to software developers, as the concept is widely used, either explicitly or implicitly, in many different programming languages. Linux namespaces isolate processes, so that different processes have a different view of various system resources, according to the namespaces they belong to.

Since the first namespace arrived in the Linux kernel in version 2.4.19 in 2002, as many as ten different namespaces have been proposed, but to date just six have made it into the mainstream kernel. The namespaces that have been implemented are the MNT namespace, the UTS namespace, the PID namespace, the NET namespace, the IPC namespace, and the USER namespace. Those missing from the original list are the security namespace, the security keys namespace, the device namespace, and the time namespace.

The following table shows when each namespace arrived in the mainstream Linux kernel:

NamespaceClone FlagKernelYear
MNTCLONE_NEWNS2.4.192002
UTSCLONE_NEWUTS2.6.192006
PIDCLONE_NEWPID2.6.242008
NETCLONE_NEWNET2.6.29*2009
IPCCLONE_NEWIPC2.6.30*2009
USERCLONE_NEWUSER3.8*2013

* Started in earlier kernel versions, and completed in the version stated

So, how do you place processes into namespaces? This is achieved with three different system calls: clone, unshare and setns.

The clone system call is a general purpose function for creating a new process ('child') based on the calling process' ('parent') context, which can be modified based on the flags passed, and can be used to specify a new namespace(s) in which the child is to exist.

The unshare system call is also a general purpose function, which can be used by a calling process to disassociate its shared context from other processes, and for our interest, place itself in a new namespace(s). In essence, the clone system call creates a new process, whereas the unshare system call doesn't.

Finally, the setns system call allows a calling process to join a different, existing namespace, by specifying a file descriptor that relates to the namespace in question.

The next article looks at the PID namespace in more detail, and how the clone system call is used to create a new PID namespace.