Introduction to Linux Namespaces


I’m going to introduce the concept of Linux namespaces. With the advent of Linux Containers, it commun isolate Linux processes into their own little system environments. This makes it possible to run a whole range of applications on a single real Linux machine and ensure no two of them can interfere with each other. Linux namespaces has been a feature of Linux since version 2.6.24 was released in 2008. Linux namespaces allow other aspects of the operating system to be independently modified as well. This includes the process tree, networking interfaces, mount points, inter-process communication resources and others.

Linux namespaces

Lets start with brief introduction about what is namespaces in Linux and what its objectives.

Wikipedia has the follow definitions about namespaces:

“Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources and another set of processes sees a different set of resources. The feature works by having the same namespace for a group of resources and processes, but those namespaces refer to distinct resources.”

That is a namespace is a way of scoping a particular set of identifiers. Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. Two namespaces (or more) can reside on the same computer and namespaces can either share access to certain resources or have exclusive access. Linux namespaces comprise some of the fundamental technologies behind most modern-day container implementations. Namespace is a key to containers usage.

There are common types of namespaces in wide use today:

  • Process isolation (PID namespace)

The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. PID namespaces are nested, meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace. For example, some software was not written to have more than one copy open at a time. To accomplish this, you might have to isolate the PID so that it is not aware of what is going on outside of its own processes. This is what process isolation can help to solve.

/proc/[pid]/ns/pid This file is a handle for the PID namespace of the process. This handle is permanent for the lifetime of the process (i.e , a process’s PID namespace membership never changes)

  • Network interfaces (net namespace)

A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices. A process inherits its network namespace from its parent. Initially all the processes share the same default network namespace from the init process.

Network namespace, in particular, virtualizes the network stack. Each network namespace has its own set of resources like network interfaces, IP addresses, routing tables, tunnels, firewalls etc. For example, iptables rules added to a network namespace will only affect traffic entering and leaving that namespace.

/proc/[pid]/ns/net This file is a handle for the network namespace of the process.

  • Unix Timesharing System (uts namespace)

The UTS namespace provides isolation of the hostname and domainname system identifiers allowing for the segregation of hostnames.The UTS namespace is used to isolate two specific elements of the system that relate to the uname system call. The UTS(UNIX Time Sharing) namespace is named after the data structure used to store information returned by the uname system call. Specifically, the UTS namespace isolates the hostname and the NIS domain name.

/proc/[pid]/ns/uts This file is a a handle for the UTS namespace of the process.

  • User namespace

User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs , the root directory, keys , and capabilities. A process’s user and group IDs can be different inside and outside a user namespace. User namespaces can provides a feature to provide both privilege isolation and user identification segregation across multiple sets of processes.

/proc/[pid]/ns/user This file is a handle for the user namespace of the process.

  • Mount (mnt namespace)

The mount namespace is used to isolate mount points such that processes in different namespaces cannot view each others' files. If you are familiar with the chroot command, it functions similarly. Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces

/proc/[pid]/ns/mnt This file is a handle for the mount namespace of the process.

  • Interprocess Communication (IPC)

Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue filesystem. Objects created in an IPC namespace are visible to all other processes that are members of that namespace, but are not visible to processes in other IPC namespaces. IPCs handle the communication between processes by using shared memory areas, message queues, and semaphores.

/proc/[pid]/ns/ipc This file is a handle for the IPC namespace of the process.

  • CGroup

A cgroup namespace virtualizes the contents of the /proc/self/cgroup file. Processes inside a cgroup namespace are only able to view paths relative to their namespace root. Cgroups are kernel mechanisms to restrict and measure resource allocations to each process group. Using cgroups, you can allocate resources such as CPU time, network, memory and limits the resources which a process or set of processes can use these resources could like CPU, Memory, Network I/O or access to filesystem while namespace restrict the visibility of group of processes to the rest of the system.

/proc/[pid]/ns/cgroup This file is a handle for the cgroup namespace of the process.

  • Time

The time namespace is suited for Linux containers usage for allowing the date/time to be changed within a container and for adjusting clocks within a container following restoration from a checkpoint/snapshot.

/proc/[pid]/ns/net This file is a handle for the network namespace of the process.

There are some system calls that are included in namespaces API:

  • Clone

The clone system call creates a new process.

  • Setns

The setns system call allows the calling process to join an existing namespace.

  • Unshare

The unshare system call moves the calling process to a new namespace.

  • Ioctl

Ioctl operations can be used to discover information about namespaces.

Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns command. Bind mounting one of the files in this directoryto somewhere else in the filesystem keeps the corresponding namespace of the process specified by pid alive even if all processes currently in the namespace terminate.

The files in the /proc/sys/user directory expose limits on the number of namespaces of various types that can be created. see… ( max_cgroup_namespaces, max_pid_namespaces, max_net_namespaces , …) The limits are defined per user.

namespace is automatically down when the last process in the namespace terminates or leaves the namespace.