The container abstraction has made a big entry into the world of software development, offering a method for streamlined feature delivery. You don’t necessarily need to know about the inner workings of containers in order to use them, but it can help when it comes to getting the best from them.
In a series of articles I’ll be exploring one of the Linux kernel features that make containers possible; namespaces. Linux namespaces provide the isolation features that are so important to the container abstraction. The series uncovers the different namespaces in turn, but starts with a general intro:
Introducing Namespaces (this article)
A Basic Container (putting it all together)
A namespace is effectively a means of isolating a set of names or identifiers, and is very familiar to software developers, as the concept is widely used, either explicitly or implicitly, in many different programming languages. Linux namespaces isolate processes, so that different processes have a different view of various system resources, according to the namespaces they belong to.
Since the first namespace arrived in the Linux kernel in version 2.4.19 in 2002, as many as ten different namespaces have been proposed, but to date just six1 have made it into the mainstream kernel. The namespaces that have been implemented are the Mount namespace, the UTS namespace, the PID namespace, the Network namespace, the IPC namespace, and the User namespace. Those missing from the original list are the security namespace, the security keys namespace, the device namespace, and the time namespace.
The following table shows when each namespace arrived in the mainstream Linux kernel:
So, how do you place processes into namespaces? This is achieved with three different Linux system calls:
clone system call is a general purpose function for creating a new process (‘child’) based on the calling process’ (‘parent’) context, which can be modified based on the flags passed, and can be used to specify a new namespace(s) in which the child is to exist.
unshare system call is also a general purpose function, which can be used by a calling process to disassociate its shared context from other processes, and for our interest, place itself in a new namespace(s). In essence, the
clone system call creates a new process, whereas the
unshare system call doesn’t.
setns system call allows a calling process to join a different, existing namespace, by specifying a file descriptor that relates to the namespace in question.
The next article looks at the PID namespace in more detail, and how the
clone system call is used to create a new PID namespace.