What is a Namespace

A namespace is a Linux kernel feature that isolates a process's view of a specific system resource. A process in its own PID namespace sees only its own process tree. A process in its own network namespace has its own IP addresses and routing table. The host kernel manages everything, but each namespace sees only its slice.

How it works

Linux provides seven namespace types: PID (process IDs), network (interfaces, routing), mount (filesystem views), user (UID mapping), UTS (hostname), IPC (shared memory, message queues), and cgroup (cgroup hierarchy view).

Three syscalls manage namespaces: clone() creates a new process in new namespaces (how containers start), unshare() moves the current process into new namespaces, and setns() joins an existing namespace (how docker exec works).

A container typically uses all seven namespace types. The combination gives it the appearance of running on its own machine — its own PID 1, its own IP address, its own root filesystem, its own hostname — while sharing the host kernel.

Why it matters

Namespaces are the isolation half of containers. Without them, containers would just be regular processes that can see everything on the host. Understanding namespaces explains why containers start in milliseconds (no OS boot), why they share the host kernel (unlike VMs), and why container escapes are possible when namespace isolation is misconfigured.

See How Namespaces Work for all seven types in detail.

This concept appears in

How Namespaces Work — Process Isolation in Linux

What is a Namespace

How it works

Why it matters

Related

This concept appears in

Referenced by