Hubbry Logo
Linux namespacesLinux namespacesMain
Open search
Linux namespaces
Community hub
Linux namespaces
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Linux namespaces
Linux namespaces
Linux namespaces
View on Wikipedia
from Wikipedia
namespaces
Original authorAl Viro
DevelopersEric W. Biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov et al.
Initial release2002; 24 years ago (2002)
Written inC
Operating systemLinux
TypeSystem software
LicenseGPL and LGPL

Namespaces are a feature of the Linux kernel that partition kernel resources such that one set of processes sees one set of resources, while another set of processes sees a different set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple namespaces. Examples of such resources are process IDs, host-names, user IDs, file names, some names associated with network access, and inter-process communication.

Namespaces are a required aspect of functioning containers in Linux. The term "namespace" is often used to denote a specific type of namespace (e.g., process ID) as well as for a particular space of names. [1]

A Linux system begins with a single namespace of each type, used by all processes. Processes can create additional namespaces and can also join different namespaces.

History

[edit]

Linux namespaces were inspired by the wider namespace functionality used heavily throughout Plan 9 from Bell Labs.[2] The Linux Namespaces originated in 2002 in the 2.4.19 kernel with work on the mount namespace kind. Additional namespaces were added beginning in 2006[3] and continuing into the future.

Adequate container support functionality was finished in kernel version 3.8[4][5] with the introduction of User namespaces.[6]

Namespace kinds

[edit]

Since kernel version 5.6, there are 8 kinds of namespaces. Namespace functionality is the same across all kinds: each process is associated with a namespace and can only see or use the resources associated with that namespace, and descendant namespaces where applicable. This way, each process (or process group thereof) can have a unique view on the resources. Which resource is isolated depends on the kind of namespace that has been created for a given process group.

Mount (mnt)

[edit]

Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces (using shared subtrees, it is possible to propagate mount points between namespaces[7]).

The clone flag used to create a new namespace of this type is CLONE_NEWNS - short for "NEW NameSpace". This term is not descriptive (it does not tell which kind of namespace is to be created) because mount namespaces were the first kind of namespace and designers did not anticipate there being any others.

Process ID (pid)

[edit]

The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. PID namespaces are nested, meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace. Hence, the initial PID namespace is able to see all processes, albeit with different PIDs than other namespaces will see processes with.

The first process created in a PID namespace is assigned the process ID number 1 and receives most of the same special treatment as the normal init process, most notably that orphaned processes within the namespace are attached to it. This also means that the termination of this PID 1 process will immediately terminate all processes in its PID namespace and any descendants.[8]

Network (net)

[edit]

Network namespaces virtualize the network stack. On creation, a network namespace contains only a loopback interface. Each network interface (physical or virtual) is present in exactly 1 namespace and can be moved between namespaces.

Each namespace will have a private set of IP addresses, its own routing table, socket listing, connection tracking table, firewall, and other network-related resources.

Destroying a network namespace destroys any virtual interfaces within it and moves any physical interfaces within it back to the initial network namespace.

Inter-process Communication (ipc)

[edit]

IPC namespaces isolate processes from SysV style inter-process communication. This prevents processes in different IPC namespaces from using, for example, the SHM family of functions to establish a range of shared memory between the two processes. Instead, each process will be able to use the same identifiers for a shared memory region and produce two such distinct regions.

UTS

[edit]

UTS (UNIX Time-Sharing) namespaces allow a single system to appear to have different host and domain names to different processes. When a process creates a new UTS namespace, the hostname and domain of the new UTS namespace are copied from the corresponding values in the caller's UTS namespace.[9]

User ID (user)

[edit]

User namespaces are a feature to provide both privilege isolation and user identification segregation across multiple sets of processes, available since kernel 3.8.[10] With administrative assistance, it is possible to build a container with seeming administrative rights without actually giving elevated privileges to user processes. Like the PID namespace, user namespaces are nested, and each new user namespace is considered to be a child of the user namespace that created it.

A user namespace contains a mapping table converting user IDs from the container's point of view to the system's point of view. This allows, for example, the root user to have user ID 0 in the container but is actually treated as user ID 1,400,000 by the system for ownership checks. A similar table is used for group ID mappings and ownership checks.

Control group (cgroup) Namespace

[edit]

The cgroup namespace type hides the identity of the control group of which the process is a member. A process in such a namespace, checking which control group any process is part of, would see a path that is actually relative to the control group set at creation time, hiding its true control group position and identity. This namespace type has existed since March 2016 in Linux 4.6.[11][12]

Time

[edit]

The time namespace allows processes to see different system times in a way similar to the UTS namespace. It was proposed in 2018 and was released in Linux 5.6, in March 2020.[13]

Proposed namespaces

[edit]

syslog namespace

[edit]

The syslog namespace was proposed by Rui Xiang, an engineer at Huawei, but wasn't merged into the Linux kernel.[14] systemd implemented a similar feature called “journal namespace” in February 2020.[15]

Administrative hierarchy

[edit]

To facilitate privilege isolation of administrative actions, each namespace type is considered owned by a user namespace based on the active user namespace at the moment of creation. A user with administrative privileges in the appropriate user namespace will be allowed to perform administrative actions within that other namespace type. For example, if a process has administrative permission to change the IP address of a network interface, it may do so as long as its own user namespace is the same as (or ancestor of) the user namespace that owns the network namespace. Hence, the initial user namespace has administrative control over all namespace types in the system.[16]

Implementation details

[edit]

Namespaces are represented by virtual file objects within the kernel. An open filedescriptor on such a file may be used to associate a process with the corresponding namespace.

Visibility in /proc

[edit]

The kernel makes the namespaces of each process visible at /proc/pid/ns/kind. Like all non-file resources in /proc, these can be read as symbolic links, yielding kind:[inode_number], or accessed as ordinary files. (These files are unreadable but are useful in other ways. Their inode numbers match the textual numbers yielded by readlink.) These files are in one-to-one correspondence with namespaces in the kernel, so the inode numbers act as unique identifiers.

As of Linux 6.1.0, kind can be any of cgroup, ipc, mnt, net, pid, time, user, uts. Inheritance of some namespaces can be controlled separately from the effective namespace of the process itself, and that is visible as /proc/pid/ns/kind_for_children.

Syscalls

[edit]

Three syscalls can directly manipulate namespaces:

  • clone, with flags to specify which new namespace the new process should be migrated to.
  • unshare, to disassociate parts of a process's or thread's execution context that are currently being shared with other processes (or threads)
  • setns, to place the current process into the namespace specified by a file descriptor.

Destruction

[edit]

If a namespace is no longer referenced, it will be deleted, the handling of the contained resource depends on the namespace kind. A namespace is considered referenced when:

  • it has at least one member process;
  • it has at least one referenced child namespace; or
  • its virtual file (/proc/pid/ns/kind) is in use, including:
    • via an open filedescriptor;
    • being a process' current directory;
    • being a process' root directory; or
    • underpinning a bind mount.

Adoption

[edit]

Various container software use Linux namespaces in combination with cgroups to isolate their processes, including Docker[17] and LXC.

Other applications, such as Google Chrome make use of namespaces to isolate its own processes which are at risk from attack on the internet.[18]

There is also an unshare wrapper in util-linux. An example of its use is: 

SHELL=/bin/sh unshare --map-root-user --fork --pid chroot "${chrootdir}" "$@"

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Linux namespaces

View on Grokipedia
from Grokipedia
Linux namespaces are a feature of the that wrap global system resources in an abstraction, providing processes within a namespace with their own isolated instance of those resources, such that changes made inside the namespace are visible only to processes in that namespace. This isolation mechanism enables lightweight virtualization, particularly for technologies, by partitioning resources like process IDs, network stacks, and mount points without requiring a separate kernel or . Introduced incrementally starting with mount namespaces in 2.4.19 in 2002, namespaces were further developed through contributions from Eric W. Biederman, whose 2006 Linux Symposium paper proposed extending them to multiple global resources for improved server efficiency, application migration, and security isolation. The primary purpose of Linux namespaces is to facilitate , allowing multiple independent environments to run on the same host while sharing the underlying kernel, which enhances resource utilization and security in scenarios like and . Namespaces are created using system calls such as clone(2), unshare(2), or setns(2) with specific CLONE_NEW* flags, and they can be managed via files in /proc/[pid]/ns/, which serve as handles for joining or querying namespaces. Most namespace types require the CAP_SYS_ADMIN capability, though user namespaces have been unprivileged since Linux 3.8. A namespace persists until its last process exits or it is explicitly unpinned, such as by closing associated file descriptors. There are eight main types of Linux namespaces, each isolating a distinct set of kernel resources:
  • Mount namespace (CLONE_NEWNS, since Linux 2.4.19): Isolates filesystem mount points, allowing independent mount tables.
  • UTS namespace (CLONE_NEWUTS, since Linux 2.6.19): Isolates the and NIS .
  • IPC namespace (CLONE_NEWIPC, since Linux 2.6.19): Isolates System V IPC resources and POSIX message queues.
  • PID namespace (CLONE_NEWPID, since Linux 2.6.24): Isolates the process ID number space, making processes appear as (PID 1) in child namespaces.
  • Network namespace (CLONE_NEWNET, since Linux 2.6.24): Isolates network devices, IP addresses, ports, tables, and firewall rules.
  • User namespace (CLONE_NEWUSER, since Linux 3.8): Isolates user and group IDs, enabling unprivileged mapping of inside the namespace.
  • Cgroup namespace (CLONE_NEWCGROUP, since Linux 4.6): Isolates the view of the cgroup and .
  • Time namespace (CLONE_NEWTIME, since Linux 5.6): Isolates the system boot time and monotonic clocks.
These namespaces often work in conjunction with control groups (cgroups) to limit resource usage, forming the foundation for tools like Docker and that implement operating system-level .

Introduction

Definition and Core Concepts

Linux namespaces are a feature that enable the partitioning of kernel resources, allowing processes in different namespaces to perceive isolated views of global system resources such as processes, network interfaces, mount points, and user identifiers. This abstraction wraps a global system resource in a way that makes it appear to processes within the namespace as if they possess their own private instance, thereby confining changes and interactions to within that namespace. By creating multiple instances of these resources, namespaces facilitate resource separation without duplicating the underlying kernel structures. At their core, Linux namespaces operate by associating processes with specific namespace instances, where each type of namespace targets isolation of a particular resource category. Processes can create new namespaces or join existing ones, typically through kernel interfaces that allow for flexible management of these isolated environments. Namespaces exhibit a hierarchical structure in certain cases, where child namespaces inherit properties from parent namespaces unless explicitly configured for isolation, enabling nested or layered isolation schemes. For instance, in a scenario involving , a launched within its own dedicated might perceive itself as process ID 1, viewing only co-namespaced processes and remaining unaware of others on the , which demonstrates the effectiveness of resource view separation. This capability delivers key benefits, including lightweight that supports secure multi-tenancy and application containment with minimal overhead compared to full virtual machines, enhancing by limiting the scope of untrusted code.

Role in Isolation and Virtualization

Linux namespaces play a pivotal role in by wrapping global system resources in per-process abstractions, allowing processes to perceive private instances of these resources while remaining invisible to those outside the . For example, a process in a dedicated mount sees only its own filesystem hierarchy, preventing interference with the host's mounts, and similarly, network namespaces isolate interfaces and routing tables to avoid cross-process network conflicts. This mechanism ensures that modifications within one do not propagate globally, enhancing and resource segregation in multi-tenant environments. In virtualization, namespaces enable OS-level virtualization, a lightweight alternative to full-system emulation, by partitioning kernel resources without the need for a separate guest kernel. Paired with control groups (cgroups) for resource limiting, namespaces underpin container technologies, permitting multiple isolated user-space instances to run efficiently on a single host kernel, which reduces overhead compared to hypervisor-based systems. This combination supports scalable deployments, as seen in container orchestration platforms where namespaces delineate boundaries for applications. Unlike traditional virtualization via hypervisors, which simulates hardware and incurs significant performance costs from running independent OS instances, namespaces achieve isolation at the kernel level, sharing the host OS for greater efficiency and density. Virtual machines provide stronger hardware-level separation but at the expense of resource duplication, whereas namespace-based approaches excel in scenarios requiring rapid provisioning and minimal footprint. Container runtimes typically invoke namespaces during process creation to establish isolated views; for instance, spawning a process with PID and network namespaces simulates a standalone , where the process tree appears rooted at PID 1 and network traffic is confined to virtual interfaces, all while leveraging the host kernel for execution.

History

Early Development (2000s)

The early development of Linux namespaces during the 2000s focused on enhancing within the kernel to support lightweight , addressing the shortcomings of earlier mechanisms like , which offered limited filesystem isolation and was prone to escapes. This work was motivated by the growing demand for running multiple isolated environments on a single physical machine, enabling efficient resource sharing in server consolidation, , and secure application deployment without the overhead of hypervisors. Influences included FreeBSD's jails for per-process resource views and ' Solaris Zones for , which demonstrated the benefits of namespace-like separation for and manageability. Eric W. Biederman played a pivotal role in conceptualizing namespaces as multiple instances of global kernel resources, proposing this framework in his 2006 paper "Multiple Instances of the Global Linux Namespaces" presented at the Ottawa Linux Symposium. The proposal aimed to create distinct views of kernel objects—such as process IDs, network stacks, and user IDs—for groups of processes, facilitating container technologies like those in . Biederman's efforts, initially under Linux Networx and later at , emphasized unprivileged user isolation to mitigate privilege escalation risks, laying the groundwork for broader kernel adoption. , originating from Virtuozzo's commercial kernel patches since 2005, contributed early implementations of isolation features akin to namespaces, with developers like Pavel Emelyanov pushing for mainline integration to enable virtual private servers (VPS) with shared kernel resources. The initial practical implementations emerged with the mount namespace, introduced by Al Viro in Linux kernel 2.4.19 on August 3, 2002, via the CLONE_NEWNS flag in clone(2). This allowed processes to maintain independent mount tables, isolating filesystem views and enabling chroot-like environments with greater flexibility, inspired by Plan 9's per-process namespaces. Building on this, the PID namespace was added in Linux kernel 2.6.24, released on January 24, 2008, providing separate process ID numbering to prevent PID conflicts across isolated groups and support nested process trees. Biederman's work on user namespaces began around 2005–2006, with prototype patches discussed in kernel mailing lists by 2008, focusing on mapping user and group IDs to enable unprivileged container roots, though full mainline merging occurred later. These foundational additions, often developed through out-of-tree patches from projects like OpenVZ, gradually converged into the upstream kernel, establishing namespaces as a core isolation primitive.

Major Additions and Kernel Integrations

The development of namespaces accelerated in the late 2000s and , with several key types integrated into the kernel to support advanced isolation features for . The UTS , which isolates and views, was merged in kernel version 2.6.19 in December 2006, though its practical maturity evolved with subsequent refinements in later releases. Similarly, the IPC , providing isolation for resources such as System V IPC objects and message queues, was also introduced in Linux 2.6.19. The network namespace followed in kernel 2.6.24 in January 2008, enabling separate network stacks, interfaces, and routing tables per namespace, with fuller integration and usability enhancements completed in 3.8 in February 2013. A pivotal addition was the user namespace, developed starting around 2007 by Eric Biederman to enable unprivileged creation by mapping user and group IDs across namespaces. Despite ongoing security debates on the kernel mailing lists regarding potential privilege escalation risks and the complexity of capability mappings, it was merged into Linux 3.8 in 2013 after extensive review and patching. This integration marked a significant milestone, allowing non-root users to create namespaces without full system privileges, thereby facilitating safer container deployments. Subsequent expansions included the cgroup namespace in Linux 4.6 in May 2016, which virtualizes the view of control groups to prevent container processes from accessing host cgroup hierarchies. The time namespace arrived in Linux 5.6 in March 2020, offering isolated monotonic and boottime clocks with adjustable offsets, primarily to support checkpoint/restore functionality in containers. These additions were largely driven by the rise of container technologies, including the Linux Containers (LXC) project launched in 2008, which relied on namespaces for OS-level virtualization, and Docker's debut in 2013, which popularized namespaces through its lightweight container runtime and influenced kernel discussions on completeness and security. Kernel mailing list threads, particularly around user namespaces, highlighted tensions between isolation benefits and attack surface concerns, leading to iterative security improvements. As of 2025, no major new namespace types have been merged since the time namespace in 2020, with development efforts focusing on refinements such as enhanced user mappings and security mitigations in kernels 5.10 and later. Ongoing proposals, like a syslog for isolating logging resources, remain in discussion without upstream integration.

Namespace Types

Mount (mnt)

The mount , also known as the mnt , provides isolation of the filesystem mount table and tree, ensuring that processes in different mount perceive distinct sets of mounted filesystems. Each process views only the mounts established within its own , and operations such as mounting or unmounting filesystems affect solely that without impacting others. This isolation allows for independent filesystem hierarchies, where the (/) can vary per , enabling processes to operate within customized environments. Key features of the mount namespace include support for bind mounts, which permit remounting a directory subtree at another location within the same or different namespace, facilitating flexible filesystem reconfiguration. It also integrates seamlessly with advanced filesystems like , which leverages mount namespaces to create layered, union-mounted filesystems for read-write overlays on read-only bases, commonly used in container images. Mount propagation mechanisms further enhance control: mounts can be configured as private (MS_PRIVATE, the default), shared (MS_SHARED, for bidirectional propagation), or slave (MS_SLAVE, for unidirectional reception from a master), allowing selective sharing of mount events across related namespaces while maintaining isolation where needed. A new mount namespace is created by invoking clone(2) or unshare(2) with the CLONE_NEWNS flag, requiring the CAP_SYS_ADMIN capability in the caller's user namespace (except when nested under a user namespace with mapped privileges). To join an existing mount , setns(2) is used with a obtained from /proc/[pid]/ns/mnt, which serves as the namespace's identifier and can be bind-mounted to persist it beyond process lifetime. The kernel enforces a per-user limit on mount namespaces via /proc/sys/user/max_mnt_namespaces, with creation failing via ENOSPC if exceeded. In practice, mount namespaces are essential for container runtimes, such as providing a container with its own /proc and /sys mounts populated from the host but isolated to prevent interference, allowing safe introspection of container-specific kernel interfaces without exposing or altering the host's view. However, limitations arise with mount propagation: if a mount is not explicitly set to private (MS_PRIVATE), shared or slave configurations can cause unintended visibility of mounts across namespaces, potentially leaking filesystem changes unless propagation types are carefully managed at namespace creation or via mount(2) flags. Within a user namespace, this isolation extends to unprivileged mounting, where root privileges map to the caller's user ID in the parent namespace, enabling non-root users to establish private mount trees.

Process ID (pid) Namespace

The process ID (PID) namespace provides isolation of the process ID number space, enabling processes in different namespaces to have identical PIDs without interference. In this namespace, each instance maintains its own view of the hierarchy, where the (PID 1) serves as the , and processes outside the namespace are invisible to those within it. This isolation ensures that process identifiers, such as those used in system calls like kill(2) or wait(4), are confined to the local namespace, preventing cross-namespace process management. Key features include support for nested hierarchies, allowing up to 32 levels of PID namespaces since Linux 3.7, where child namespaces inherit visibility of parent processes but maintain separate PID assignments. The /proc filesystem reflects this isolation, displaying only processes local to the viewing namespace, while signals sent to PIDs are confined within the namespace unless explicitly handled across boundaries. Additionally, orphaned processes in a namespace are reparented to the namespace's process rather than the global . PID namespaces are created using the CLONE_NEWPID flag in clone(2) or unshare(2) system calls, which places new processes into a fresh PID space starting from PID 1. Since Linux 5.3, pidfd_open(2) provides a file descriptor-based to a , facilitating namespace-aware management, such as joining via setns(2) or signaling with pidfd_send_signal(2), without relying on /proc paths. The /proc/sys/kernel/ns_last_pid file tracks the last allocated PID in the current namespace and can be adjusted with appropriate capabilities (CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE since Linux 5.9). A representative example is in containerization, where the container's init process runs as PID 1 within its PID namespace, unaware of host processes, allowing the container to manage its own process lifecycle independently while the host views the container processes under higher PIDs. Limitations include the inability to namespace the host's global init process (PID 1 in the root namespace), which remains visible and cannot be isolated, potentially requiring careful signal handling to avoid unintended propagation. Furthermore, joining a PID namespace via setns(2) affects only future children of the calling process, not the caller itself, necessitating forking for full immersion. PID namespaces are often combined with control groups (cgroups) to enforce resource limits on isolated process sets.

Network (net) Namespace

The network namespace in Linux provides isolation for networking resources, allowing processes within a namespace to have their own set of network devices, IPv4 and IPv6 protocol stacks, tables, firewall rules (such as those managed by ), and other related configurations. This separation ensures that network operations in one namespace do not interfere with those in another, enabling independent network environments on the same host. Key isolated views include the /proc/net and /sys/class/net directories, which reflect only the resources visible to the namespace, as well as port numbers (to prevent conflicts) and UNIX domain sockets bound to namespace-local paths. Physical network devices are bound to a single namespace at a time; when a device is moved to a new , it becomes invisible in the original one, and freed devices revert to the initial (root) namespace. Virtual devices, particularly virtual Ethernet (veth) pairs, facilitate communication between namespaces by acting as tunnels: one end resides in one namespace and the other in another, with packets transmitted on one immediately received by its peer. These veth pairs support integration with bridges and VLANs, configurable via tools like ip(8) and brctl(8), allowing complex topologies such as bridging a endpoint to a physical interface for external connectivity. Firewall rules, including chains, are also namespace-specific, ensuring that filtering and NAT policies apply only within the isolated stack. A new network namespace is created using the clone(2) system call with the CLONE_NEWNET flag, which requires CAP_SYS_ADMIN privilege and results in the child process inheriting a stack. Alternatively, the unshare(2) system call with the same flag can detach the calling process into a new . For user-space management, the ip netns tool from the iproute2 package allows creation (e.g., ip netns add mynet), listing (ip netns list), execution of commands within a namespace (e.g., ip netns exec mynet ip link set lo up), and deletion (ip netns del mynet). veth pairs are created with commands like ip link add veth0 type veth peer name veth1, followed by moving endpoints to namespaces using ip link set veth1 netns mynet. In a practical example, a runtime might create a network namespace for a , assigning it a private IP address (e.g., 192.168.1.2) via a veth pair connected to a host bridge, ensuring the container has no direct access to the host's network interfaces or routing tables while allowing outbound traffic through the bridge. This setup is commonly used in container networking to provide isolated, virtualized network environments. Limitations include the fact that physical devices cannot be shared across namespaces simultaneously, and veth pairs are destroyed when their owning namespace is freed. Certain kernel-wide network parameters, such as those in /proc/sys/net (e.g., IPv4/IPv6 configuration inheritance), may propagate from the initial namespace to new ones unless explicitly configured otherwise via sysctls like devconf_inherit_init_net, potentially leading to unintended shared behaviors. Management typically requires the ip netns tool or equivalent, as direct namespace handling is privileged.

Inter-process Communication (ipc) Namespace

The (IPC) namespace in isolates System V IPC resources, including shared memory segments (shm), semaphores (sem), and message queues (msg), as well as message queues, ensuring that these objects are confined to processes within the same . This isolation makes keys and identifiers unique per namespace, preventing processes in different IPC namespaces from accessing or sharing the same IPC objects, even if they use identical keys generated by functions like ftok(). For instance, ftok() paths are effectively isolated because the resulting IPC objects remain namespace-bound, avoiding unintended cross-namespace collisions. Additionally, /dev/shm mounts, which often back , can be namespaced to align with this isolation, providing a separate instance per IPC namespace since Linux 2.6.19. Creation of an IPC namespace occurs through system calls such as clone(2) or unshare(2) with the , which establishes a new namespace for the calling process or its child, requiring the CONFIG_IPC_NS kernel configuration option. This flag affects only System V and IPC primitives; other communication mechanisms like pipes (isolated via PID namespaces) and Unix domain sockets (handled by network or mount namespaces) remain unaffected. Processes can join an existing IPC namespace using setns(2). When the last process in an IPC namespace exits, all associated IPC objects are automatically destroyed, cleaning up resources without leakage to other namespaces. In practice, IPC namespaces enable containers to utilize and other IPC mechanisms without contaminating the host system or adjacent containers; for example, a containerized application can create a shared memory segment for internal process coordination that remains invisible and inaccessible to the host kernel or other isolated environments. This complements PID namespaces by providing finer-grained isolation for legacy IPC primitives beyond simple process tree separation. However, limitations arise with older applications designed around global IPC assumptions, where processes expect to communicate across what would now be namespace boundaries, potentially requiring configuration adjustments like sharing the host's IPC namespace (e.g., via container runtime flags) to maintain functionality. In some cases, migrating such applications to fully namespaced environments may necessitate recompilation or modifications to avoid reliance on cross-namespace IPC, particularly if they use hardcoded global identifiers. message queue support, added in Linux 2.6.30, further mitigates issues for modern applications but highlights the evolutionary constraints on legacy code.

UTS Namespace

The UTS namespace provides isolation for system identifiers associated with the Unix Time-sharing System (UTS), specifically the hostname, nodename, and domainname fields returned by the uname(2) system call. This isolation ensures that processes in different UTS namespaces perceive distinct values for these identifiers, enabling independent system identities without global impact. The namespace copies the parent's hostname and NIS (Network Information Service, also known as Yellow Pages or YP) domain name upon creation, allowing subsequent modifications to remain local to the namespace. Key features include the ability to modify the hostname using sethostname(2) and the domain name using setdomainname(2), with changes visible only to processes sharing the same UTS namespace. This locality is particularly useful for establishing per-process or per-group identities in virtualized environments, such as assigning unique hostnames to isolated workloads. A new UTS namespace is created via the clone(2) or unshare(2) system calls with the CLONE_NEWUTS flag. Inspection occurs through system calls like gethostname(2), getdomainname(2), or uname(2) executed within the namespace, or by examining the namespace handle in /proc/[pid]/ns/uts, which displays the namespace type and inode number (e.g., uts:[4026531838]). For example, in container orchestration, each container can operate with its own —such as "app-server1"—facilitating , logging, and application configuration while the host retains its original identity like "prod-host". This per-container hostname isolation simplifies management in multi-tenant setups without requiring full system reconfiguration. The UTS namespace affects only UTS-specific identifiers, providing isolation for the NIS/YP but not for DNS resolution, which depends on configurations like /etc/[resolv.conf](/page/Resolv.conf) managed through mount or network namespaces. Thus, while hostname-based lookups may appear isolated, broader name resolution remains subject to other namespace interactions.

User (uid) Namespace

The user namespace in isolates the user and group ID number spaces, allowing within the namespace to perceive a remapped set of user IDs (UIDs) and group IDs (GIDs) distinct from those on the host system. This isolation enables a process to operate as the (UID 0) inside the while being mapped to an unprivileged UID on the host, thereby containing privilege escalations and enhancing security for containerized or sandboxed environments. The primary purpose is to support unprivileged container execution by allocating subsets of the host's UID/GID ranges to the namespace, preventing processes from accessing or modifying resources outside their mapped range. Key features include the configuration of UID and GID mappings through the /proc/[pid]/uid_map and /proc/[pid]/gid_map files, which define how IDs in the child namespace correspond to IDs in the parent namespace; for example, a mapping might specify that the range 0-65536 in the child maps to 100000-165535 on the host. These mappings support sub-UID and sub-GID allocation, often managed via tools like newuidmap and newgidmap, allowing non-root users to delegate portions of their UID range for nested namespaces. User namespaces enable unprivileged creation since Linux kernel 3.8, provided the kernel is configured with CONFIG_USER_NS=y and the creating process has appropriate sub-UID/GID ranges allocated in /etc/subuid and /etc/subgid. User namespaces are created using the clone(2) or unshare(2) system calls with the CLONE_NEWUSER flag, which establishes a new namespace as the first step if combined with other namespace creation flags; privileged processes require CAP_SYS_ADMIN, but unprivileged creation relies on the aforementioned kernel configuration and ID mappings. For instance, a container process with root privileges inside the namespace (UID 0) can be mapped to a host UID such as 1000, ensuring that any attempts to access host resources are restricted to that non-privileged identity and mitigating potential privilege escalations. Despite these benefits, user namespaces have limitations, including early security vulnerabilities such as symlink attacks exploitable before kernel 4.2 due to incomplete ID mapping enforcement in filesystem operations (e.g., CVE-2013-1858). Additionally, not all system calls and kernel interfaces fully respect UID mappings; for example, early implementations had issues with binaries that were resolved in subsequent kernels through improved capability checks and VFS adjustments. As of 2025, enhancements in 6.x series, including refined idmapped mount support and stricter capability bounding, have bolstered container by better integrating user namespace mappings with . User namespaces complement mount namespaces in handling binaries by applying ID remapping to filesystem views.

Control Groups (cgroup) Namespace

The control groups (cgroup) namespace in provides isolation of the view of the cgroup for processes within the , ensuring that they perceive only their own subtree as the of the rather than the full host system structure. This hides the host's cgroup organization from containerized or isolated processes, preventing information leakage about the broader system and enhancing abstraction in environments like containers. By remapping cgroup paths to be relative to the namespace's , it allows processes to operate as if their local cgroup is the global , which is particularly useful for and migration scenarios. Introduced in Linux kernel version 4.6 in 2016, the cgroup namespace supports both cgroup v1 and v2 hierarchies, with the latter having been unified starting in kernel 4.5. Key features include the modification of views in /proc/<pid>/cgroup, which displays cgroup paths relative to the namespace root, and adjustments to /proc/<pid>/mountinfo to reflect only the visible cgroup mountpoints. For instance, a process outside the namespace might see a full path like 0::/user.slice/user-1000.slice/session-1.scope, while inside, it appears as 0::/. This isolation applies to cgroup roots but does not alter the underlying resource controls themselves. Creation of a cgroup namespace occurs via the clone(2) or unshare(2) system calls using the CLONE_NEWCGROUP flag, where the calling process's current cgroup becomes the root for the new namespace. Joining an existing namespace is possible with setns(2), provided the process has CAP_SYS_ADMIN capability in the target namespace. Upon creation, mountpoints such as /sys/fs/cgroup are affected, showing only the namespace-local view, which may require remounting specific cgroup filesystems (e.g., mount -t cgroup -o freezer none /sys/fs/cgroup/freezer) for full visibility within the isolated context. In practice, this enables to remain unaware of the host's controllers; for example, a might see its cgroup path as /docker/<container_id> as the root, abstracting away host-level hierarchies like slices and improving portability without exposing sensitive details. This complements the user by providing a fuller isolation layer for -related views, though it requires a kernel configured with CONFIG_CGROUPS. Limitations include the fact that the does not isolate or modify actual limits or , which are handled by the mechanism itself rather than the namespace virtualization. Additionally, while it supports cgroup v2's unified hierarchy from kernel 4.5 onward, older v1 setups may exhibit inconsistencies in mount visibility without explicit remounting. Processes cannot migrate outside their namespace , enforcing the isolation but potentially complicating certain administrative tasks.

Time Namespace

The time namespace in isolates specific time-related counters, virtualizing the CLOCK_MONOTONIC (including its COARSE and RAW variants) and CLOCK_BOOTTIME (including ALARM) clocks to provide per-namespace offsets, while the wall-clock time (CLOCK_REALTIME) remains shared globally. This isolation ensures that processes in different namespaces perceive distinct views of monotonic time progression and boot-time elapsed, which is particularly valuable for maintaining time consistency during migration, checkpoint/restore operations, and freezing without affecting the host system's . The feature was merged into the in version 5.6, released in March 2020, and requires the kernel to be configured with the CONFIG_TIME_NS option. Key system calls affected by time namespaces include clock_gettime(2), clock_nanosleep(2), nanosleep(2), timer_settime(2), and timerfd_settime(2), all of which return or use the offset-adjusted time values specific to the calling 's namespace; similarly, the /proc/uptime file reflects namespace-specific uptime. Offsets for these clocks are managed via the /proc/

/timens_offsets file, where each line specifies a clock ID followed by seconds and nanoseconds to add (e.g., "1 172800 0" to offset CLOCK_MONOTONIC by two days), inheriting from the namespace upon creation and remaining fixed once the first enters the . Setting offsets requires the CAP_SYS_TIME capability in the user namespace, with limits ensuring offsets do not result in negative times or exceed approximately 146 years to prevent overflow. Time namespaces are created by invoking unshare(2) with the CLONE_NEWTIME flag, which enters child processes into the new namespace while leaving the calling process in its original one; the namespace can also be referenced and joined via the /proc/

/ns/time symlink. For example, in container testing or scheduling scenarios, a namespace might apply a zero offset to CLOCK_MONOTONIC to effectively pause time perception for paused processes, or add a custom offset to simulate accelerated testing environments without altering the host's global time. In checkpoint/restore tools like CRIU, time namespaces enable restoring containers with adjusted boottime and monotonic offsets to match the checkpointed state, supporting seamless migration. Limitations include the inability to virtualize CLOCK_REALTIME or gettimeofday(2), meaning wall time and certain legacy interfaces remain unisolated, and offsets cannot be modified after namespace population to avoid inconsistencies for existing processes. This design prioritizes safety in multi-process environments but restricts full time , making it unsuitable for scenarios requiring isolated real-time clocks, such as full emulation.

Implementation Details

System Calls and Commands

Linux namespaces are managed primarily through kernel system calls that allow processes to create, join, or unshare namespaces. The clone(2) system call is used to create a new process while specifying one or more new namespaces for the via the CLONE_NEW* flags in its flags argument. These flags include CLONE_NEWNS for mount namespaces, CLONE_NEWPID for process ID namespaces, CLONE_NEWNET for network namespaces, CLONE_NEWUTS for UTS namespaces, CLONE_NEWIPC for IPC namespaces, CLONE_NEWUSER for user namespaces, CLONE_NEWCGROUP for cgroup namespaces, and CLONE_NEWTIME for time namespaces. Multiple flags can be combined bitwise in a single clone(2) call to create several new namespaces simultaneously for the . The unshare(2) enables a to disassociate parts of its execution context from shared resources, effectively moving the calling into new namespaces without forking a child. It accepts the same CLONE_NEW* flags as clone(2) to specify which namespaces to unshare and enter. For example, unshare(2) with CLONE_NEWNET would create and join a new network namespace for the caller. To enter an existing namespace, the setns(2) is employed, which joins the calling process to a specified by a file descriptor obtained from the /proc filesystem. The nstype argument in setns(2) indicates the type of namespace to join, using the same CLONE_NEW* constants for verification. This allows processes to migrate into namespaces created by other processes. Namespaces are exposed in user space through the /proc/

/ns/ directory, where each namespace type appears as a symbolic link or bind-mountable representing the namespace's inode. These entries, such as /proc/

/ns/net for the network , can be opened to obtain file descriptors for use with setns(2). Processes sharing the same have identical inode numbers for these entries. User-space tools facilitate namespace management without direct system call invocation. The unshare command from the package invokes the unshare(2) based on command-line options corresponding to types, then executes a specified program in the new namespaces. For instance, unshare --net --fork /bin/bash creates a new network and forks a shell into it. The nsenter command, also from , uses setns(2) to enter specified namespaces of a target or PID and run a command therein. It supports options like -t

to target a and -n for network namespaces. For network namespaces specifically, the ip netns subcommand from the package provides utilities to add, delete, list, and execute commands within named network namespaces. Commands such as ip netns add <name> create a new network namespace, while ip netns exec <name> <cmd> runs in that namespace, often by leveraging mount namespaces internally for compatibility. Common errors in namespace operations include EPERM, returned when the required CAP_SYS_ADMIN capability is lacking, though user namespaces since Linux 3.8 permit unprivileged creation. Other errors like EINVAL occur if invalid flags or file descriptors are provided.

Namespace Hierarchy and Joining

Linux namespaces are organized in a hierarchical for each namespace type, where child namespaces are nested within parent namespaces. This ensures that namespaces form a forest across the system, with the global (root) namespace serving as the top-level parent for all types. For PID and user namespaces specifically, the structure is explicitly hierarchical, allowing a namespace to persist as long as it has active child namespaces or, in the case of user namespaces, owns subordinate non-user namespaces. When a new is created via fork(2), it inherits all of its parent's namespaces by default, maintaining continuity in the hierarchy unless explicitly overridden during creation. Processes can join existing namespaces to alter their view of system resources, enabling peer relationships outside the default parent-child inheritance. The setns(2) system call facilitates this by allowing a process to reassociate itself with a target namespace, specified by a file descriptor obtained from /proc/[pid]/ns/[type] entries. This fd-based approach enhances safety by avoiding direct path manipulations and permitting atomic joins for multiple namespace types when using a PID file descriptor (available since Linux 5.8). For instance, a process might join a different network namespace while remaining in its original PID namespace, demonstrating how processes can belong to distinct namespaces across types simultaneously—such as operating in the host's PID space but an isolated network environment. However, joining imposes restrictions: for PID namespaces, the target must be a descendant or the same as the caller's; user namespace joins require appropriate capabilities like CAP_SYS_ADMIN in the target. This multi-namespace capability allows fine-grained isolation, where a single views resources through a combination of inherited and joined namespaces, without requiring a full hierarchical shift. Forked children thus start in the same set as their parent, but subsequent setns(2) calls or unshare(2) operations can create or enter peers, forming branches in the per-type tree. To inspect namespace hierarchies and memberships, tools and interfaces provide visibility into the and per-process affiliations. The lsns(1) command from lists all accessible namespaces system-wide, displaying details like namespace ID (inode number), type, number of processes, owner, and command, which helps trace hierarchical relationships by inode comparisons. For per-process inspection, the /proc/[pid]/ns/ directory contains symbolic links for each namespace type (e.g., pid, net), where matching device IDs and inodes indicate shared membership; the /proc/[pid]/status file further reports the PID namespace via the NSpid field. These mechanisms allow administrators to map the overall tree and verify joins without kernel modifications.

Creation, Destruction, and Lifecycle

Linux namespaces are primarily created through two mechanisms: implicitly, when a new process is forked using the clone system call with CLONE_NEW* flags specifying the desired namespace types, which allocates fresh namespace instances for the child process; or explicitly, when an existing process calls unshare with the same flags to detach itself from its current namespaces and enter new ones. These operations are handled by the kernel's namespace subsystem, which initializes the appropriate structures based on the flags provided. While most namespace types require the CAP_SYS_ADMIN capability within the creating process's user namespace to prevent unauthorized isolation, user namespaces can be created by unprivileged users since Linux kernel version 3.8, enabling safer experimentation with container-like isolation. Destruction of namespaces is handled automatically by the kernel through a reference-counting mechanism, ensuring resources are reclaimed only when no entities depend on the . A remains alive as long as at least one is bound to it, or while it is pinned by open s—typically obtained from entries in /proc/[pid]/ns/—or by bind mounts of those descriptors. When the final reference is released, such as upon the last exiting or closing the pinning , the kernel decrements the count to zero and frees the 's associated data structures. In cases of hierarchies, like those formed by PID or user namespaces, a parent persists until all descendant namespaces and their es are gone, preventing premature cleanup. The lifecycle of a is tightly coupled to management and tracking within the kernel. Key events include creation and termination, which can alter reference counts, and propagation rules that dictate how changes in one (such as mount operations) may affect related namespaces under specific sharing configurations. or orphaned namespaces—those with no active but lingering references—are automatically cleaned up by the kernel upon reference release, avoiding indefinite retention. This design ensures efficient memory and kernel object reuse, with the nsfs pseudo-filesystem facilitating visibility into states via /proc. Management of namespaces during their lifecycle often involves obtaining namespace file descriptors (nsfds) from /proc/[pid]/ns/ entries, which enable operations like joining namespaces or monitoring their status without direct process attachment. Process file descriptors (pidfds) can complement this by allowing signaling of processes within specific namespaces. However, capabilities such as CAP_SYS_ADMIN are typically required for creation, joining, or modification to enforce boundaries. Unprivileged users face additional constraints: since Linux 4.9, per-user limits on namespace creation (e.g., maximum number of each type) are enforced via tunable files in /proc/sys/user/, charged recursively across nested user namespaces to curb potential denial-of-service from excessive allocations.

Adoption and Applications

Container Technologies

Linux namespaces form the foundational isolation mechanism in modern container technologies, enabling lightweight virtualization by segregating processes into distinct views of system resources. Their adoption began with Linux Containers () in 2008, which first combined namespaces with control groups to create user-space containers that mimic full operating system environments without requiring a separate kernel. Docker significantly popularized this approach in 2013 by introducing an accessible tooling layer atop LXC's primitives, shifting from niche server management to widespread application deployment. By 2025, namespaces underpin over 90% of container-based deployments, reflecting the surge in cloud-native architectures where 89% of organizations report substantial use of such techniques. In Docker, namespaces are integrated through the libcontainer library, which has evolved into the runc runtime under the (OCI). Runc employs system calls like clone()—with flags such as CLONE_NEWPID and CLONE_NEWNET—and unshare() to instantiate and manage namespaces, creating isolated scopes for processes. By default, Docker activates the core namespaces of PID for process IDs, network for interfaces and routing tables, mount for filesystem hierarchies, UTS for hostname and domain details, and IPC for (user namespaces require daemon-level configuration for UID/GID mappings). This setup ensures containers operate in a self-contained environment, with root privileges remapped to non-privileged users on the host for enhanced security when user namespaces are enabled. Configuration flexibility includes flags like --network=host, which bypasses the network namespace entirely, allowing the container to utilize the host's networking stack directly for scenarios requiring low-latency access to host ports. The time namespace is not used by default. Kubernetes builds on these primitives by incorporating namespaces into pod sandboxes, which provide a secure boundary for co-located containers sharing resources like volumes and networks while isolating them from other pods and the host. Pod sandboxes leverage namespaces for PID, network, IPC, and user isolation—as of Kubernetes v1.33 (April 2025), user namespaces are enabled by default when stack requirements are met—managed through compliant runtimes such as CRI-O—which focuses on OCI standards and uses runc for execution—and containerd, a high-level runtime that handles container lifecycle operations including namespace setup. Kubernetes NetworkPolicies further utilize network namespaces to define fine-grained traffic controls, selecting pods or entire namespaces via labels to permit or deny ingress/egress flows, thereby enforcing isolation between workloads in multi-tenant clusters. The performance impact of namespaces in container technologies remains negligible, with benchmarks showing less than 1% overhead in CPU and I/O operations compared to bare-metal execution, primarily due to the kernel-level efficiency of namespace switching. Namespaces are typically complemented by control groups for resource limiting, ensuring balanced scalability in production environments.

Security and Sandboxing Use Cases

Linux namespaces play a crucial role in enhancing security by providing isolation mechanisms that confine processes and limit their access to system resources, thereby reducing the potential for privilege escalation and lateral movement in case of compromises. In sandboxing scenarios, tools like Firejail leverage namespaces alongside seccomp-bpf filters to create lightweight, restricted environments for running untrusted applications, isolating their view of the filesystem, network, and processes to prevent unauthorized access or malware propagation. This approach is particularly effective for confining potentially malicious code, such as downloaded executables or third-party software, by dropping unnecessary capabilities and enforcing syscall restrictions within the sandboxed namespace boundaries. In multi-tenant environments, providers utilize Linux namespaces to achieve tenant separation on shared kernel instances, allowing multiple isolated workloads to coexist without interfering with each other. For instance, network and PID namespaces segment traffic and process trees per tenant, mitigating risks from noisy neighbors or cross-tenant attacks on shared infrastructure. This isolation supports scalable, cost-effective deployments while maintaining boundaries, as each tenant operates within its own abstracted resource view. Key security benefits of namespaces include a reduced , particularly through user namespaces, which remap user and group IDs to prevent containerized or sandboxed processes from gaining host-level privileges and escaping to perform exploits. When combined with mandatory access control systems like or SELinux, namespaces further enforce policy-based restrictions on namespace creation and operations, confining unprivileged users from abusing kernel interfaces for escalation. For example, SELinux can label and restrict user namespace transitions, while profiles can mediate access to namespace-related syscalls, layering fine-grained controls atop namespace isolation. Despite these advantages, namespaces have historical limitations, such as breakout vulnerabilities in pre-user configurations where shared kernel resources allowed escapes via kernel bugs, as seen in exploits like CVE-2022-0492 affecting cgroup interactions. Early implementations without user support exposed higher risks of privilege escalation from confined environments. To mitigate these, 2025 best practices emphasize enabling user remapping on production systems, which maps container UIDs to non-privileged host users (e.g., via /etc/subuid and /etc/subgid), combined with kernel hardening options like user.max_user_namespaces to limit proliferation. Beyond traditional uses, projects like Google's gVisor integrate namespaces with a user-space kernel implementation to create robust sandboxes, intercepting syscalls from namespaced processes and emulating them securely to block direct kernel access and further isolate untrusted workloads. This layered approach enhances protection against kernel exploits in high-security contexts, such as running legacy or unverified binaries.

Proposed Extensions

Syslog Namespace

The syslog namespace was proposed in 2013 by Rui Xiang, an engineer at , to isolate syslog communications and prevent containers from accessing host logs via the shared /dev/log device. The proposal aimed to enable each to maintain independent syslog identifiers, buffers, and daemons, ensuring that activities remain confined within boundaries. This isolation would address a key limitation in containerized environments, where processes could otherwise inadvertently read or interfere with the host's system logs. The core goals included separating kernel printks and user-space syslog(3) calls per namespace, allowing container-specific handling of logs such as those from iptables rules without leaking to the host. By providing per-namespace log buffers, the feature would support dedicated syslog daemons running inside containers, enhancing security and manageability in multi-tenant setups. The syslog namespace relates briefly to the IPC namespace, as /dev/log relies on Unix domain sockets for logging primitives. In terms of implementation, the syslog namespace was designed to be tightly coupled with the user namespace: a new syslog namespace would be created automatically upon user namespace initialization, with an additional ioctl command (SYSLOG_ACTION_NEW_NS on /proc/kmsg) enabling user-space creation of namespaces. Patches introduced structures like struct syslog_ns for namespace tracking, per-namespace ring buffers for printk messages, and modifications to syslog(3) to route calls based on the current namespace, using a ns_printk variant for kernel logging. Despite these details, the proposal was not merged into the mainline due to concerns about increasing kernel complexity for a feature that could be addressed through existing or emerging alternatives. As of November 2025, the syslog namespace remains unmerged and absent from the kernel's namespace implementations. Instead, systemd's LogNamespace directive offers comparable isolation by creating logical journal namespaces for services, allowing them to log via syslog(3) without mixing streams from the host or other projects. User-space tools like syslog-ng provide further alternatives, supporting multiple systemd-journal sources across namespaces for flexible log collection and forwarding.

Other Emerging Proposals

Ongoing controversies surrounding user namespaces, highlighted in recent presentations as both enabling unprivileged containers and introducing exploit vectors, underscore the caution in approving extensions. As of November 2025, development focuses on refining existing namespaces, such as enhancing time namespace APIs for better checkpoint/restore integration in tools like CRIU, with no major new proposals merged into the kernel. Community discussions continue on the containers@ and linux-kernel@vger mailing lists, exploring namespace evolution for container orchestration and security.

References

  1. https://man7.org/linux/man-pages/man7/namespaces.7.html
  2. https://lwn.net/Articles/531114/
  3. https://www.kernel.org/doc/ols/2006/ols2006v1-pages-101-112.pdf
  4. https://blog.nginx.org/blog/what-are-namespaces-cgroups-how-do-they-work
  5. https://www.redhat.com/en/blog/7-linux-namespaces
  6. https://www.redhat.com/en/topics/containers/containers-vs-vms
  7. https://wiki.openvz.org/History_of_containers_in_Linux_kernel
  8. https://lwn.net/Articles/266521/
  9. https://man7.org/linux/man-pages/man2/mount.2.html
  10. https://docs.kernel.org/filesystems/overlayfs.html
  11. https://www.kernel.org/doc/html/latest/filesystems/sharedsubtree.html
  12. https://man7.org/linux/man-pages/man2/unshare.2.html
  13. https://man7.org/linux/man-pages/man2/setns.2.html
  14. https://man7.org/linux/man-pages/man7/user_namespaces.7.html
  15. https://man7.org/linux/man-pages/man7/pid_namespaces.7.html
  16. https://man7.org/linux/man-pages/man2/pidfd_open.2.html
  17. https://man7.org/linux/man-pages/man7/network_namespaces.7.html
  18. https://man7.org/linux/man-pages/man4/veth.4.html
  19. https://man7.org/linux/man-pages/man2/clone.2.html
  20. https://man7.org/linux/man-pages/man8/ip-netns.8.html
  21. https://docs.kernel.org/admin-guide/sysctl/net.html
  22. https://man7.org/linux/man-pages/man7/ipc_namespaces.7.html
  23. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_atomic_host/7/html/overview_of_containers_in_red_hat_systems/introduction_to_linux_containers
  24. https://man7.org/linux/man-pages/man7/uts_namespaces.7.html
  25. https://www.redhat.com/en/blog/uts-namespace
  26. https://lwn.net/Articles/528078/
  27. https://lwn.net/Articles/543273/
  28. https://docs.kernel.org/filesystems/idmappings.html
  29. https://man7.org/linux/man-pages/man7/cgroup_namespaces.7.html
  30. https://lwn.net/Articles/616099/
  31. https://kernelnewbies.org/Linux_4.6
  32. https://docs.kernel.org/admin-guide/cgroup-v2.html
  33. https://man7.org/linux/man-pages/man7/time_namespaces.7.html
  34. https://kernelnewbies.org/Linux_5.6
  35. https://criu.org/Time_namespace
  36. https://docs.kernel.org/userspace-api/unshare.html
  37. https://man7.org/linux/man-pages/man1/unshare.1.html
  38. https://man7.org/linux/man-pages/man1/nsenter.1.html
  39. https://man7.org/linux/man-pages/man8/lsns.8.html
  40. https://man7.org/linux/man-pages/man5/proc.5.html
  41. https://docs.kernel.org/admin-guide/sysctl/user.html
  42. https://www.aquasec.com/blog/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016/
  43. https://www.baeldung.com/linux/docker-containers-evolution
  44. https://www.cncf.io/wp-content/uploads/2025/04/cncf_annual_survey24_031225a.pdf
  45. https://www.docker.com/blog/runc/
  46. https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/
  47. https://kubernetes.io/docs/concepts/services-networking/network-policies/
  48. https://blog.hathora.dev/benchmarking-container-performance/
  49. https://lwn.net/Articles/671534/
  50. https://github.com/netblue30/firejail
  51. https://man7.org/linux/man-pages/man1/firejail.1.html
  52. https://netflixtechblog.com/evolving-container-security-with-linux-user-namespaces-afbe3308c082
  53. https://www.redhat.com/en/blog/providing-multi-tenancy-and-network-isolation-to-the-edge
  54. https://docs.redhat.com/en/documentation/openshift_container_platform/3.11/html/container_security_guide/security-hosts
  55. https://lwn.net/Articles/673597/
  56. https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
  57. https://discussion.fedoraproject.org/t/confining-user-namespaces-with-selinux/142995
  58. https://www.aquasec.com/blog/new-linux-kernel-vulnerability-escaping-containers-by-abusing-cgroups/
  59. https://docs.docker.com/engine/security/userns-remap/
  60. https://www.ibm.com/support/pages/best-practices-docker-security-and-configuration
  61. https://gvisor.dev/docs/architecture_guide/security/
  62. https://cloud.google.com/blog/products/identity-security/open-sourcing-gvisor-a-sandboxed-container-runtime
  63. https://gvisor.dev/
  64. https://www.youtube.com/watch?v=UfoT88iE-TY
  65. https://lpc.events/event/19/program
  66. https://lists.linuxfoundation.org/pipermail/containers/
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.