Namespace

Overview

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

namespaces(7) - Linux manual page

API

System Calls

We can use various system calls to create, or join a new, or an existing namespace.

The clone(2) system call creates a new process.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the child process is made a member of those namespaces.

The setns(2) system call allows the calling process to join an existing namespace.

The namespace to join is specified via a file descriptor that refers to one of the /proc/[pid]/ns files described below.

The unshare(2) system call moves the calling process to a new namespace.

If the flags argument of the call specifies one or more of the CLONE_NEW* flags listed below, then new namespaces are created for each flag, and the calling process is made a member of those namespaces.Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

Various ioctl(2) operations can be used to discover information about namespaces. These operations are described in ioctl_ns(2).

The `proc` Filesystem

The kernel assigns each process a symbolic link per namespace kind in /proc/<PID>/ns/. Since Linux 3.8, these files appear as symbolic links.

If two processes are in the same namespace, then the device IDs and inode numbers of their /proc/<pid>/ns/xxx symbolic links will be the same. We can check this using the stat.st_dev and stat.st_ino fields returned by stat(2).

We can use readlink to read the content of the symbolic link:

$ readlink /proc/$$/ns/uts
uts:[4026531838]

Namespace Types

Type Flag used in APIs Man Page Isolates

Type	Flag used in APIs	Man Page	Isolates
Cgroup	`CLONE_NEWCGROUP`	`cgroup_namespaces`	Cgroup root directory
IPC	`CLONE_NEWIPC`	`ipc_namespaces`	System V IPC, POSIX message queues
Network	`CLONE_NEWNET`	`network_namespaces`	Network devices, stacks, ports, etc.
Mount	`CLONE_NEWNS`	`mount_namespaces`	Mount points
PID	`CLONE_NEWPID`	`pid_namespaces`	Process IDs
Time	`CLONE_NEWTIME`	`time_namespaces`	Boot and monotonic clocks
User	`CLONE_NEWUSER`	`user_namespaces`	User and group IDs
UTS	`CLONE_NEWUTS`	`uts_namespaces`	Hostname and NIS domain name

Cgroup

CLONE_NEWCGROUP

cgroup_namespaces

Cgroup root directory

IPC

CLONE_NEWIPC

ipc_namespaces

System V IPC, POSIX message queues

Network

CLONE_NEWNET

network_namespaces

Network devices, stacks, ports, etc.

Mount

CLONE_NEWNS

mount_namespaces

Mount points

PID

CLONE_NEWPID

pid_namespaces

Process IDs

Time

CLONE_NEWTIME

time_namespaces

Boot and monotonic clocks

User

CLONE_NEWUSER

user_namespaces

User and group IDs

UTS

CLONE_NEWUTS

uts_namespaces

Hostname and NIS domain name

PreviousProcess NextTerminal

Last updated 1 year ago