session

~/chopper

article

Linux Namespaces

Namespaces are linux mechanisms for isolation by making a group of processes see their own separate version of system resources.

  • Process Namespace
  • Network Namespace
  • IPC Namespace
  • Mount Namespace
  • User Namespace
  • UTS Namespace

Process Namespace (PID Namespace)

PID Namespace provides process isolation by giving a group of processes its own PID Namespace. Each namespace has initial process that run as PID1 which handles signals and reaps the zombie processes. Process namespaces has hierarchical nature. So, a process can see the processes in its parent namespace and processes in its descendant namespaces. A single process can have different PIDs in different namespaces.

Network Namespace

Network namespace gives each process its own independent network stack. Each network namespace has its own IP address, network interfaces, firewall rules (iptables) and routing table. Namespaces are isolated and they cannot communicate with each other without using virtual connector like veth pair. A process has no idea about other process in different namespaces like they are on the different hosts.

IPC Namespace (Inter-Process Isolation)

IPC namespace provides isolation for a group of processes using os-level communication mechanisms. If isolation like IPC namespace doesn’t exist, every process can access the shared memory created by another process, which make less secure and cause security issues. Each IPC namespace has its own shared memory, semaphores and message queues. Processes inside the same namespace can read/write the same shared memory.

Mount Namespace

Mount namespace provides file system isolation for each process with mount table. Each namespace has its own mount table in which a list of file system or directory with where they are mounted exist. Linux keeps not only files but also mount table to provide file system isolation for different processes to see the different views of the file system.

User Namespace

User namespace provides isolation of user identity across different user namespaces. Each user namespace maps user identities inside the namespace to the identities outside the namespace, allowing processes runs as root inside while being unprivileged outside.

UTS Namespace

UTS Namespace isolates system identifiers like hostname and domain name for a group of processes or one number of process. Each UTS namespace has its own system identifiers, making them appear as if they are running on different machines.