Linux Namespaces and Control Groups

When Docker runs a container, or when Kubernetes orchestrates thousands of workloads across a cluster, the fundamental isolation that keeps each container's processes, filesystems, and network interfaces separate from the host and from each other comes from a surprisingly elegant kernel feature: Linux namespaces.

Namespaces are not containers themselves—they are the building blocks from which containers are constructed. Understanding namespaces means understanding the atomic units of isolation that the Linux kernel provides, and how containerization technologies compose these primitives to create the sandboxed environments we rely on in modern infrastructure.

At its core, a namespace is a kernel mechanism that partitions system resources so that one set of processes sees one set of resources while another set of processes sees a different set. Each namespace type isolates a specific global system resource, creating the illusion that processes within the namespace have their own isolated instance of that resource.

Consider how a traditional UNIX system works: all processes share a single view of the system. Every process sees the same process tree, the same network interfaces, the same mounted filesystems, the same hostname. This shared view is both powerful (enabling easy inter-process communication and resource sharing) and limiting (making true isolation impossible without heavyweight virtualization).

Namespaces change this fundamental assumption. Instead of a single global namespace for each resource type, the kernel can maintain multiple instances of that namespace. Processes are assigned to specific namespace instances, and their view of the system is confined to what that namespace exposes.

Key properties of namespaces:

1. Isolation: Processes in different instances of a namespace cannot see each other's resources for that namespace type
2. Hierarchical: Namespaces can form hierarchies, with parent namespaces having visibility into child namespaces but not vice versa
3. Composable: A process belongs to exactly one instance of each namespace type, and different namespace types operate independently
4. Lightweight: Unlike full virtualization, namespaces are implemented within the same kernel and share most kernel data structures, making them extremely efficient
5. Progressive adoption: New processes inherit their parent's namespace memberships by default, but can be moved to new namespaces at creation time or, for some types, during execution

Linux namespaces did not emerge fully formed. They evolved over nearly two decades, with each namespace type addressing specific isolation requirements that became apparent as the industry's understanding of containerization matured.

The Pre-Namespace Era (Before 2002)

Before namespaces, process isolation on Linux was limited to traditional UNIX mechanisms:

• Users and groups: Basic access control but no visibility isolation
• chroot: Filesystem isolation, but easily escapable and incomplete
• Separate machines: True isolation required dedicated hardware or heavyweight VMs

The need for lightweight isolation became pressing as hosting providers sought better multi-tenancy, and as security researchers demonstrated the limitations of chroot for containment.

The mount namespace (2002) was the first, introduced as an extension to the Plan 9 operating system's concept of per-process filesystem views. It allowed different processes to see different filesystem layouts—a powerful extension to chroot that couldn't be circumvented by simply navigating directory structures.

The containerization wave (2006-2009) brought rapid development. The UTS, IPC, and PID namespaces emerged as researchers at IBM and other organizations worked on container technologies like OpenVZ and later LXC. Network namespaces completed the picture for practical containerization.

User namespaces (2013) represented a paradigm shift—they enabled unprivileged users to create and administer containers by mapping UID/GID ranges, fundamentally changing the security model.

Recent additions (2016-2020) reflect ongoing refinement. Cgroup namespaces improve container nesting, while time namespaces enable scenarios requiring time manipulation without host privileges.

Modern Linux (kernel 5.6+) supports eight distinct namespace types, each isolating a specific system resource. Understanding each type is essential for comprehending how containers achieve comprehensive isolation.

Mount Namespace (CLONE_NEWNS)

The mount namespace isolates the set of filesystem mount points seen by processes. When a process is in its own mount namespace, mounting or unmounting filesystems affects only processes in that namespace—the host and other containers remain unaffected.

This is foundational for containers: it enables each container to have its own root filesystem, with its own /proc, /sys, and any other mount points, completely independent of the host's mount table.

UTS Namespace (CLONE_NEWUTS)

Named after the 'UNIX Time-sharing System', the UTS namespace isolates the system's hostname and NIS (Network Information Service) domain name. Each UTS namespace has its own hostname and domainname, allowing containers to have distinct identities without affecting each other or the host.

While seemingly simple, hostname isolation is critical for applications that use hostname for identity, logging, and service discovery.

IPC Namespace (CLONE_NEWIPC)

The IPC namespace isolates System V IPC objects (semaphores, message queues, shared memory segments) and POSIX message queues. Processes in different IPC namespaces cannot access each other's IPC resources, even if they know the identifiers.

This prevents information leakage between containers through IPC channels and ensures that IPC identifier collisions between containers cannot occur.

PID Namespace (CLONE_NEWPID)

The PID namespace virtualizes process IDs. Each PID namespace has its own independent set of PIDs starting from 1. The first process in a new PID namespace becomes PID 1 within that namespace—the init process for that container.

Critically, PID namespaces are hierarchical. A process is visible in its own PID namespace and all ancestor namespaces (with different PIDs in each). This allows the host to manage container processes while containers cannot see or signal processes outside their namespace.

Network Namespace (CLONE_NEWNET)

The network namespace provides complete network stack isolation. Each network namespace has its own:

• Network devices (eth0, lo, etc.)
• IP addresses and routing tables
• Port numbers (two containers can both bind to port 80)
• Firewall rules (iptables/nftables)
• /proc/net contents

Virtual ethernet pairs (veth) connect namespaces, enabling controlled network communication between containers and with the host.

User Namespace (CLONE_NEWUSER)

The user namespace is perhaps the most powerful and complex. It isolates user and group IDs, enabling a process to have different UIDs inside and outside the namespace. A process can be root (UID 0) inside its user namespace while being an unprivileged user on the host.

This capability enables:

• Rootless containers (containers run by non-root users)
• Improved security (container root has no host privileges)
• Safe delegation of namespace creation to unprivileged users

Cgroup Namespace (CLONE_NEWCGROUP)

The cgroup namespace virtualizes the view of the cgroup hierarchy. A process in a cgroup namespace sees its current cgroup as the root of the hierarchy, rather than seeing the full host cgroup tree. This prevents containers from discovering information about other containers or the host through /proc/self/cgroup.

Time Namespace (CLONE_NEWTIME)

The newest addition, time namespaces allow processes to have different views of CLOCK_MONOTONIC and CLOCK_BOOTTIME. This enables scenarios like container migration (where boot time differs) and testing time-dependent applications without root access to set system time.

Understanding how the kernel implements namespaces illuminates both their power and their limitations. The implementation is remarkably elegant, built around a few key data structures and system calls.

The nsproxy Structure

At the heart of namespace implementation is the nsproxy structure. Every process (represented by a task_struct) has a pointer to an nsproxy, which in turn contains pointers to the actual namespace objects the process belongs to.

Reference counting ensures namespaces persist as long as any process uses them. When the last process exits a namespace (and no external references remain, such as bind-mounted namespace files), the namespace is destroyed and its resources released.

Namespace inheritance works through the nsproxy. When a process forks, the child typically shares the parent's nsproxy—both point to the same namespace instances. Only when a process explicitly creates a new namespace (via clone() or unshare()) does the kernel allocate a new namespace object and potentially a new nsproxy.

The User Namespace Exception

Notice that user_namespace is not in nsproxy. Instead, it's stored directly in the process's credentials (struct cred). This reflects user namespaces' special role in the permission model—they affect privilege checks throughout the kernel, not just resource visibility.

Namespace Objects

Each namespace type has its own kernel structure containing the isolated resources. For example:

• struct pid_namespace contains the PID allocation bitmap, init process pointer, and link to parent PID namespace
• struct net contains routing tables, netfilter rules, and network device lists
• struct mnt_namespace contains the mount tree root and mount ID allocator

These structures are created during namespace creation and populated with either empty/default resources (for truly new namespaces) or copies of the parent's resources (for most namespace types).

The Namespace Filesystem (/proc/[pid]/ns/)

The kernel exposes namespace membership through a special filesystem. For each process, /proc/[pid]/ns/ contains symbolic links representing the namespaces that process belongs to. These links have several remarkable properties:

Three primary system calls govern namespace creation and manipulation: clone(), unshare(), and setns(). Understanding these is essential for anyone working with containers or implementing namespace-aware applications.

clone() — Create Process in New Namespaces

The clone() system call creates a new process (like fork()) but with fine-grained control over what is shared between parent and child. Namespace flags determine which new namespaces the child should enter.

unshare() — Disassociate from Namespaces

The unshare() system call allows an existing process to create new namespaces and move itself into them. This is useful when you want to isolate the current process rather than creating a new one.

setns() — Join Existing Namespaces

The setns() system call moves a process into an existing namespace, specified by a file descriptor. This is how tools like docker exec work—they open the namespace files of a running container and use setns() to join them.

Namespaces have a defined lifecycle governed by reference counting. Understanding this lifecycle is crucial for implementing robust containerization and avoiding resource leaks.

Default Lifecycle (Process-Bound)

By default, a namespace's lifetime is tied to the processes within it:

1. Creation: A new namespace is created when a process calls clone() with namespace flags or unshare()
2. Usage: The namespace exists while at least one process belongs to it
3. Destruction: When the last process exits the namespace, the kernel destroys it and releases resources

This means that a container's namespaces naturally clean up when all container processes terminate—no explicit garbage collection needed.

Persistent Namespaces (Bind-Mount Trick)

Sometimes you need a namespace to survive even when no processes are using it—for example, to prepare a network namespace before launching a container. This is achieved by bind mounting the namespace file:

# Create a new network namespace without any process
ip netns add my_namespace

# This actually does:
# 1. unshare(CLONE_NEWNET) in a helper process
# 2. Bind mounts /proc/self/ns/net to /var/run/netns/my_namespace
# 3. Helper process exits, but namespace persists due to bind mount

The bind mount holds a reference to the namespace object, preventing destruction even with zero processes. Removing the bind mount releases this reference.

File Descriptor References

Opening a namespace file (e.g., open("/proc/1234/ns/net", O_RDONLY)) also holds a reference. This is used by orchestrators to:

• Hold namespaces while reconfiguring them
• Pass namespace references between processes via socket SCM_RIGHTS
• Inspect namespace properties without joining them

Orphaned Namespace Handling

PID namespaces have special destruction semantics. When the init process (PID 1) of a PID namespace dies, the kernel sends SIGKILL to all remaining processes in that namespace. This ensures containers are fully terminated when their init dies:

1. Container init process (PID 1 inside, PID 12345 outside) crashes
2. Kernel iterates through all processes in that PID namespace
3. Each process receives SIGKILL
4. Once all processes exit, the namespace is destroyed

This reaping behavior prevents orphaned zombie containers.

Namespaces are a powerful security mechanism, but they have limitations and gotchas that practitioners must understand. Security depends on properly configuring multiple namespace types together, combined with other kernel features.

What Namespaces Protect Against

When properly configured, namespaces prevent containerized processes from:

• Seeing host processes (PID namespace)
• Accessing host network interfaces (network namespace)
• Modifying host filesystem mounts (mount namespace)
• Signaling host processes (PID namespace)
• Using host IPC mechanisms (IPC namespace)
• Binding to host ports (network namespace)

User Namespaces as a Security Boundary

User namespaces fundamentally change the security model. Without user namespaces, UID 0 inside a container is UID 0 on the host—if they escape the container, they have root access. With user namespaces:

• Container root (UID 0) maps to an unprivileged host user (e.g., UID 100000)
• Kernel permission checks use the mapped UID
• Escaping the container yields unprivileged host access

Capability Scoping

Capabilities (the split-up components of traditional root power) are scoped to namespaces. A process can have CAP_NET_ADMIN in its network namespace (allowing it to configure networking inside the container) without having that capability in the initial network namespace (preventing host network configuration).

This scoping enables fine-grained privilege delegation:

• Grant CAP_SYS_ADMIN only within a user namespace
• Allow mount operations only within a mount namespace
• Permit network configuration only within a network namespace

We've covered substantial ground in understanding Linux namespaces. Let's consolidate the key takeaways:

What's next:

Now that we understand the namespace concept and the eight namespace types at a high level, the next page dives deep into the three most critical namespaces for practical containerization: PID namespaces, network namespaces, and mount namespaces. We'll explore their internal mechanics, hierarchical structure, and how they interact to create the isolation that containers depend upon.