Linux namespaces
| Original author(s) | Al Viro |
|---|---|
| Developer(s) | Eric W. Biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov et al. |
| Initial release | 2002 |
| Written in | C |
| Operating system | Linux |
| Type | System software |
| License | GPL and LGPL |
Namespaces are a feature of the Linux kernel that isolates and virtualizes system resources of a collection of processes. Examples of resources that can be virtualized include process IDs, hostnames, user IDs, network access, interprocess communication, and filesystems. Namespaces are a fundamental aspect of containers on Linux.
Linux developers use the term namespace to refer to both the namespace kinds, as well as to specific instances of these kinds.
A Linux system is initialized with a single instance of each namespace type. After initialization, additional namespaces can be created or joined.
Linux namespaces were inspired by the more general namespace functionality used heavily throughout Plan 9 from Bell Labs.
The Linux Namespaces originated in 2002 in the 2.4.19 kernel with work on the mount namespace kind. Additional namespaces were added beginning in 2006 and continuing into the future.
Adequate containers support functionality was finished in kernel version 3.8 with the introduction of User namespaces.
As of kernel version 4.10, there are 7 kinds of namespaces. Namespace functionality is the same across all kinds: each process is associated with a namespace and can only see or use the resources associated with that namespace, and descendant namespaces where applicable. This way each process (or group thereof) can have a unique view on the resource. Which resource is isolated depends on the kind of namespace that has been created for a given process group.
Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces (using shared subtrees, it is possible to propagate mount points between namespaces).
The clone flag CLONE_NEWNS - short for "NEW NameSpace" - was used because the mount namespace kind was the first to be introduced. At the time nobody thought of other namespaces but the name has stuck for backwards compatibility.
The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. PID namespaces are nested, meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace. Hence the initial PID namespace is able to see all processes, albeit with different PIDs than other namespaces will see processes with.
...
Wikipedia