Linux namespaces provide lightweight process isolation — they are the foundation technology behind containers like Docker. Each namespace type isolates a different system resource, allowing processes to have their own view of the system.
Types of Namespaces
# Linux provides 8 namespace types:
# PID — Process IDs (process sees its own PID tree)
# NET — Network stack (own interfaces, IPs, routing)
# MNT — Mount points (own filesystem view)
# UTS — Hostname and domain name
# IPC — Inter-process communication
# USER — User and group IDs
# Cgroup — Cgroup root directory
# Time — System clocks (Linux 5.6+)
# View namespaces for a process
ls -la /proc/self/ns/
lsns # List all namespaces on the systemCreating Namespaces with unshare
# Create a new PID namespace
sudo unshare --pid --fork --mount-proc bash
ps aux # Only shows processes in this namespace
exit
# Create a new network namespace
sudo unshare --net bash
ip addr # Only shows loopback, no external interfaces
exit
# Create a new UTS namespace (change hostname without affecting host)
sudo unshare --uts bash
hostname isolated-container
hostname # Shows: isolated-container
exit
hostname # Shows: original hostnameNetwork Namespaces with ip netns
# Create a named network namespace
sudo ip netns add testns
# Run a command in the namespace
sudo ip netns exec testns ip addr
# Only loopback interface exists
# Create a virtual ethernet pair to connect namespaces
sudo ip link add veth0 type veth peer name veth1
# Move one end into the namespace
sudo ip link set veth1 netns testns
# Configure IP addresses
sudo ip addr add 10.0.0.1/24 dev veth0
sudo ip link set veth0 up
sudo ip netns exec testns ip addr add 10.0.0.2/24 dev veth1
sudo ip netns exec testns ip link set veth1 up
sudo ip netns exec testns ip link set lo up
# Test connectivity
sudo ip netns exec testns ping 10.0.0.1
# Clean up
sudo ip netns delete testnsPractical Use Case: Isolated Service
# Run a web server in its own network namespace
# This completely isolates its network stack
# Create namespace
sudo ip netns add webns
# Set up networking (veth pair)
sudo ip link add veth-host type veth peer name veth-web
sudo ip link set veth-web netns webns
sudo ip addr add 172.16.0.1/24 dev veth-host
sudo ip link set veth-host up
sudo ip netns exec webns ip addr add 172.16.0.2/24 dev veth-web
sudo ip netns exec webns ip link set veth-web up
sudo ip netns exec webns ip link set lo up
# Run a service in the namespace
sudo ip netns exec webns python3 -m http.server 8080
# Accessible only via the veth interface
curl http://172.16.0.2:8080How Docker Uses Namespaces
# Docker creates a full set of namespaces per container:
# - PID namespace: container sees only its own processes
# - NET namespace: container gets its own network stack
# - MNT namespace: container has its own filesystem
# - UTS namespace: container has its own hostname
# - IPC namespace: isolated shared memory
# Inspect a Docker container namespaces
docker inspect --format "{{.State.Pid}}" my-container
ls -la /proc/CONTAINER_PID/ns/Security Benefits
- Process isolation — Compromised process cannot see or affect others
- Network isolation — Service cannot access network resources outside its namespace
- Filesystem isolation — Process only sees its own mount tree
- User isolation — Process can be root in its namespace but unprivileged on the host