How Docker Namespaces Isolate Resources: A Deep Dive into Linux Containers

Docker uses Linux namespaces for space isolation, providing each process with a consistent view of resources within its namespace while isolating views across namespaces. For example, processes sharing a network namespace see identical network information and can communicate via localhost.

There are six primary namespaces (UTS, IPC, PID, Network, Mount, User) and newer ones added in kernel 4.6 (Cgroup) and 5.6 (Time).

UTS (CLONE_NEWUTS): hostname and domain name

IPC (CLONE_NEWIPC): semaphores, message queues, shared memory

PID (CLONE_NEWPID): process IDs

Network (CLONE_NEWNET): network devices, stack, ports, etc.

Mount (CLONE_NEWNS): mount points (filesystems)

User (CLONE_NEWUSER): user and group IDs

Cgroup (CLONE_NEWCGROUP): cgroup root directory

Time (CLONE_NEWTIME): system clock

A subtle detail: the system call flag for creating a Mount namespace is CLONE_NEWNS, not CLONE_NEWMOUNT, due to historical reasons when Mount was the first namespace.

Namespaces are not completely isolated; for instance, before kernel 5.6 the clock namespace was shared across containers, so changing the host time affected all containers.

Each process (task_struct) has an nsproxy pointer that references its namespaces.

struct task_struct { …
    /* namespaces */
    struct nsproxy *nsproxy;
    …
}

The nsproxy acts as a proxy to the various namespaces, as shown in the diagram below.

When a new process is created, it inherits its parent’s namespaces, which is why all processes inside a container share the same namespaces. The namespaces of a process can be inspected via files under /proc/<pid>/ns/, as illustrated below.