How Docker Uses PID Namespaces to Isolate Containers: A Deep Dive

Docker, the leading container management tool, packages applications and their dependencies into lightweight, portable containers that run consistently across development, testing, and production environments.

The core principle “build once, run anywhere” enables developers to create a Docker image once and deploy it on any Docker‑compatible platform, making it essential for cloud‑native development, micro‑services, and CI/CD pipelines.

How does Docker achieve isolation?

Most Linux containers, including Docker, rely on cgroups to impose resource limits and on namespaces to provide isolation. Namespace technology can isolate resources such as PID, mount, UTS, IPC, network, and user namespaces; this article focuses on the PID namespace.

Running an Ubuntu container demonstrates the effect:

$ docker run -it ubuntu:22.04 /bin/bash
root@3f6a2630d5cb:/#

The -it flags allocate a TTY, allowing interactive input and output inside the container.

Executing ps inside the container shows only two processes, with the first process (the shell) having PID 1:

root@3f6a2630d5cb:/# ps
PID   TTY          TIME CMD
1     pts/0        00:00:00 bash
9     pts/0        00:00:00 ps

This demonstrates that the container’s processes are isolated from the host: the shell runs as PID 1 inside the container, while on the host it retains its original PID (e.g., 100). Docker achieves this by remapping the process IDs within the PID namespace, making the container’s view of the process space independent of the host.

In Linux, creating a new PID namespace is done by passing the CLONE_NEWPID flag to clone():

int pid = clone(main_function, stack_size, CLONE_NEWPID | SIGCHLD, NULL);

The newly created process sees its PID as 1 inside the namespace, although the host still sees its real PID. Repeating the clone() call creates multiple PID namespaces, each with its own isolated process numbering.

Docker combines several namespaces (PID, mount, network, etc.) to fully isolate containers, meaning that a container is essentially a set of isolated processes.