The container abstraction has made a big entry into the world of software development, offering a method for streamlined feature delivery. You don’t necessarily need to know about the inner workings of containers in order to use them, but it can help when it comes to getting the best from them.

In a series of articles I’ll be exploring one of the Linux kernel features that make containers possible; namespaces. Linux namespaces provide the isolation features that are so important to the container abstraction. The series uncovers the different namespaces in turn, but starts with a general intro:

A namespace is effectively a means of isolating a set of names or identifiers, and is very familiar to software developers, as the concept is widely used, either explicitly or implicitly, in many different programming languages. Linux namespaces isolate processes, so that different processes have a different view of various system resources, according to the namespaces they belong to.

Since the first namespace arrived in the Linux kernel in version 2.4.19 in 2002, as many as ten different namespaces have been proposed, but to date just six1 have made it into the mainstream kernel. The namespaces that have been implemented are the Mount namespace, the UTS namespace, the PID namespace, the Network namespace, the IPC namespace, and the User namespace. Those missing from the original list are the security namespace, the security keys namespace, the device namespace, and the time namespace.

The following table shows when each namespace arrived in the mainstream Linux kernel:

Namespace Clone Flag Kernel Year
Mount CLONE_NEWNS 2.4.19 2002
UTS CLONE_NEWUTS 2.6.19 2006
PID CLONE_NEWPID 2.6.24 2008
Network CLONE_NEWNET 2.6.29 2009
IPC CLONE_NEWIPC 2.6.30 2009
User CLONE_NEWUSER 3.8 2013

So, how do you place processes into namespaces? This is achieved with three different Linux system calls: clone, unshare and setns.

The clone system call is a general purpose function for creating a new process (‘child’) based on the calling process’ (‘parent’) context, which can be modified based on the flags passed, and can be used to specify a new namespace(s) in which the child is to exist.

The unshare system call is also a general purpose function, which can be used by a calling process to disassociate its shared context from other processes, and for our interest, place itself in a new namespace(s). In essence, the clone system call creates a new process, whereas the unshare system call doesn’t.

Finally, the setns system call allows a calling process to join a different, existing namespace, by specifying a file descriptor that relates to the namespace in question.

The next article looks at the PID namespace in more detail, and how the clone system call is used to create a new PID namespace.

  1. Update 2020-10-21; the Linux kernel now carries a Cgroup and Time namespace. ↩︎