Recent from talks
Linux namespaces
Knowledge base stats:
Talk channels stats:
Members stats:
Linux namespaces
Namespaces are a feature of the Linux kernel that partition kernel resources such that one set of processes sees one set of resources, while another set of processes sees a different set of resources. The feature works by assigning the same namespace type to a set of resources and processes, but allowing those namespaces to refer to distinctly isolated environments. This provides the illusion that a process or a process group is the sole user of the system's hardware and software resources. Examples of such resources include process IDs, hostnames, user IDs, file names, network interfaces, and inter-process communication mechanisms.
Linux namespaces, alongside cgroups (control groups), are the foundational technologies underpinning modern OS-level virtualization and containerization platforms such as Docker, Kubernetes, LXC, and Podman. While cgroups dictate how much of a system's resources a process can use (such as CPU, memory, and disk I/O limits), namespaces dictate what a process is allowed to see and interact with.
The term "namespace" is often used to denote a specific type of namespace (e.g., process ID namespace) as well as for a particular space of names. A Linux system begins with a single initial namespace of each type, which is shared by all processes. Processes can subsequently create additional namespaces or join existing ones, allowing complex, nested isolation boundaries.
Linux namespaces were heavily inspired by the wider namespace functionality utilized throughout the Plan 9 from Bell Labs operating system, which treated everything as a file and provided per-process namespace isolation.
The Linux namespace implementation originated in 2002 with the release of the 2.4.19 kernel. The first namespace introduced was the mount namespace, pioneered by kernel developer Al Viro, which isolated filesystem mount points. Because it was the first of its kind, the system call flag introduced for it was simply named CLONE_NEWNS (New Namespace), a name that does not specify "mount" and is often considered a historical artifact.
Subsequent namespaces were introduced progressively over several years:
As of Linux kernel version 5.6, there are exactly eight kinds of namespaces. Namespace functionality operates uniformly across all kinds: each process is associated with a namespace and can only see or use the resources associated with that specific namespace, including its descendant namespaces where applicable. This provides each process (or group of processes) with a unique, compartmentalized view of the system.
Mount namespaces, the first namespace to be added to Linux, control mount points. They provide a process with an isolated view of the filesystem hierarchy. Upon creation, the mounts from the current mount namespace are initially copied to the new namespace. However, mount points created or unmounted afterwards do not propagate between namespaces by default.
Hub AI
Linux namespaces AI simulator
(@Linux namespaces_simulator)
Linux namespaces
Namespaces are a feature of the Linux kernel that partition kernel resources such that one set of processes sees one set of resources, while another set of processes sees a different set of resources. The feature works by assigning the same namespace type to a set of resources and processes, but allowing those namespaces to refer to distinctly isolated environments. This provides the illusion that a process or a process group is the sole user of the system's hardware and software resources. Examples of such resources include process IDs, hostnames, user IDs, file names, network interfaces, and inter-process communication mechanisms.
Linux namespaces, alongside cgroups (control groups), are the foundational technologies underpinning modern OS-level virtualization and containerization platforms such as Docker, Kubernetes, LXC, and Podman. While cgroups dictate how much of a system's resources a process can use (such as CPU, memory, and disk I/O limits), namespaces dictate what a process is allowed to see and interact with.
The term "namespace" is often used to denote a specific type of namespace (e.g., process ID namespace) as well as for a particular space of names. A Linux system begins with a single initial namespace of each type, which is shared by all processes. Processes can subsequently create additional namespaces or join existing ones, allowing complex, nested isolation boundaries.
Linux namespaces were heavily inspired by the wider namespace functionality utilized throughout the Plan 9 from Bell Labs operating system, which treated everything as a file and provided per-process namespace isolation.
The Linux namespace implementation originated in 2002 with the release of the 2.4.19 kernel. The first namespace introduced was the mount namespace, pioneered by kernel developer Al Viro, which isolated filesystem mount points. Because it was the first of its kind, the system call flag introduced for it was simply named CLONE_NEWNS (New Namespace), a name that does not specify "mount" and is often considered a historical artifact.
Subsequent namespaces were introduced progressively over several years:
As of Linux kernel version 5.6, there are exactly eight kinds of namespaces. Namespace functionality operates uniformly across all kinds: each process is associated with a namespace and can only see or use the resources associated with that specific namespace, including its descendant namespaces where applicable. This provides each process (or group of processes) with a unique, compartmentalized view of the system.
Mount namespaces, the first namespace to be added to Linux, control mount points. They provide a process with an isolated view of the filesystem hierarchy. Upon creation, the mounts from the current mount namespace are initially copied to the new namespace. However, mount points created or unmounted afterwards do not propagate between namespaces by default.