Understanding Docker Namespaces: How Containers Achieve Isolation

Docker uses Linux kernel namespaces to achieve containerization. Linux namespaces isolate processes and resources.

Namespaces give each container its own view of resources, preventing conflicts.

Docker namespace

Namespaces allow processes inside a container to have independent PID, network stack, filesystem mounts, hostname, domain name, and IPC resources.

Using namespaces, containers run in relatively independent environments without interfering with the host or other containers.

Namespace types

Docker employs six namespaces for isolation:

PID Namespace : Provides containers with independent process IDs.

Network Namespace : Gives each container its own network stack, devices, IP addresses, and ports.

Mount Namespace : Allows containers to have separate filesystem mount points.

UTS Namespace : Gives containers independent host and domain names.

IPC Namespace : Provides separate inter‑process communication resources such as message queues and semaphores.

User Namespace : Lets container processes run with different user and group IDs, enhancing security.

Namespace principle

Each process (task_struct) has an nsproxy field that points to its associated namespaces.

struct task_struct {
    /* namespaces */
    struct nsproxy *nsproxy;
    ...
}

The nsproxy acts as a proxy to various namespaces.

When a new process is created, it inherits its parent’s namespaces, so all processes in a container share the same namespaces.

During container creation, Docker invokes Linux kernel system calls to create one or more namespaces and runs container processes inside them.