Unlock Docker Isolation: Exploring Linux’s 8 Namespace Types

A student compared a host machine to a large house and Docker to N small rooms, each with its own bathroom, bed, and TV, illustrating container isolation.

Linux offers comprehensive isolation mechanisms, and Docker relies on classic technologies such as chroot, namespace, and cgroup. This article focuses on the namespace aspect.

Linux kernel provides eight types of namespaces, each isolating resources independently.

1. 8 Types

You can view them with the unshare command or by reading man unshare.

mnt

– isolates mount points pid – isolates process IDs net – isolates network devices, ports, etc. ipc – isolates System V IPC and POSIX message queues uts – isolates hostname and domain name user – isolates user and group IDs

Linux added two more namespace types in later kernel versions: cgroup (kernel 4.6) and time (kernel 5.6), bringing the total to eight.

Control group (cgroup) namespace – isolates cgroup root directory

Time namespace – isolates system time

2. An Example

Using unshare, you can quickly create isolated environments. The simplest demonstration uses a pid namespace.

In Linux, PID 1 is the systemd process. Inside Docker, running ps shows only a few processes.

Run the following command to enter an isolated environment with bash as the init process: unshare --pid --fork --mount-proc /bin/bash The result (see image) shows bash as PID 1, while processes from the host and other namespaces are invisible.

Inside the isolated shell, run sleep 1000. In another terminal on the host, run pstree to see that the sleep process belongs to a different PID namespace, as shown in the following image.

3. Try It Yourself

Create a mount namespace: unshare --mount --fork /bin/bash Create a UTS namespace to give the container its own hostname: unshare --uts --fork /bin/bash Change the hostname inside with hostname.

Create an IPC namespace, which isolates all inter‑process communication mechanisms: unshare --ipc --fork /bin/bash Create a user namespace, allowing separate user accounts in each namespace: unshare --user -r /bin/bash Create a network namespace to isolate network devices, IP addresses, and ports:

unshare --net --fork /bin/bash

End

Through various namespaces, Linux can finely isolate resources. Docker is essentially “new wine in an old bottle,” adding a central registry and convenient commands on top of these isolation mechanisms.

CPU and memory limits are handled by cgroups, not by namespaces; a future article will cover cgroups.

Below is a Docker lifecycle diagram (source: http://docker-saigon.github.io/post/Docker-Internals/). Feel free to contact the author for the image.

Docker tooling is now mature; understanding these low‑level principles helps you master containers, whether using Google’s own solution or continuing with Docker.