Learn/Systems/Glossary/

What is a Namespace

A namespace is a Linux kernel feature that isolates a process's view of a specific system resource. A process in its own PID namespace sees itself as PID 1. A process in its own network namespace has its own IP addresses and routing table. The host kernel manages everything underneath, but the process sees only its isolated slice.

How it works

Linux provides several namespace types, each isolating a different resource:

  • PID namespace — processes see their own numbering. The container's init process thinks it is PID 1.
  • Mount namespace — processes see their own filesystem tree. A container can have a completely different / than the host.
  • Network namespace — processes get their own network interfaces, IP addresses, routing tables, and firewall rules.
  • UTS namespace — processes can have their own hostname.
  • User namespace — processes map UIDs differently. A process can be root (UID 0) inside the namespace but an unprivileged user on the host.
  • IPC namespace — isolates inter-process communication resources (shared memory, message queues).
  • Cgroup namespace — isolates the view of cgroup hierarchies.

A process enters namespaces through three syscalls:

  • clone() — create a new process in new namespaces.
  • unshare() — move the current process into new namespaces.
  • setns() — join an existing namespace (this is how docker exec works).

Containers are not a single kernel feature. They are the combination of namespaces (for isolation) and cgroups (for resource limits). Docker, Podman, and every container runtime create a set of namespaces for each container, giving it the appearance of being a separate machine while sharing the host kernel.

Why it matters

Namespaces are the foundation of container isolation. Without them, there are no containers — just processes that can see everything. Understanding namespaces demystifies what Docker actually does: it is not a virtual machine, it is a process with restricted vision. Namespaces also explain why containers share the host kernel (unlike VMs), and why container escapes are possible when namespace isolation is misconfigured.

See How Containers Work for the full picture.

Prerequisites

Related

This concept appears in

Referenced by