Namespace

Overview

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

namespaces(7) - Linux manual page

API

System Calls

We can use various system calls to create, or join a new, or an existing namespace.

clone(2)

The clone(2) system call creates a new process.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the child process is made a member of those namespaces.

setns(2)

The setns(2) system call allows the calling process to join an existing namespace.

The namespace to join is specified via a file descriptor that refers to one of the /proc/[pid]/ns files described below.

unshare(2)

The unshare(2) system call moves the calling process to a new namespace.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the calling process is made a member of those namespaces.Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

ioctl(2)

Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

The `proc` Filesystem

The kernel assigns each process a symbolic link per namespace kind in /proc/<PID>/ns/. Since Linux 3.8, these files appear as symbolic links.

If two processes are in the same namespace, then the device IDs and inode numbers of their /proc/<pid>/ns/xxx symbolic links will be the same. We can check this using the stat.st_dev and stat.st_ino fields returned by stat(2).

We can use readlink to read the content of the symbolic link:

$ readlink /proc/$$/ns/uts
uts:[4026531838]

Namespace Types

Type	Flag used in APIs	Man Page	Isolates
Cgroup	CLONE_NEWCGROUP	cgroup_namespaces	Cgroup root directory
IPC	CLONE_NEWIPC	ipc_namespaces	System V IPC, POSIX message queues
Network	CLONE_NEWNET	network_namespaces	Network devices, stacks, ports, etc.
Mount	CLONE_NEWNS	mount_namespaces	Mount points
PID	CLONE_NEWPID	pid_namespaces	Process IDs
Time	CLONE_NEWTIME	time_namespaces	Boot and monotonic clocks
User	CLONE_NEWUSER	user_namespaces	User and group IDs
UTS	CLONE_NEWUTS	uts_namespaces	Hostname and NIS domain name