Unlocking Linux Namespaces: How Docker Leverages Classic Isolation Techniques

A student once compared a host machine to a large house, with Docker dividing it into many small compartments, each with its own bathroom, bed, and TV.

Linux provides comprehensive isolation mechanisms so that each compartment operates independently, even if neighboring compartments are busy.

Docker achieves this isolation using three classic Linux technologies: chroot, namespaces, and cgroups. This article focuses on namespaces, the fundamental element of container isolation.

Linux kernel defines up to eight types of namespaces, each isolating a specific resource.

1. The 8 Namespace Types

Linux supports the following namespaces, which can be listed with the

unshare

command or by reading

man unshare

:

Mount (mnt) – isolates mount points.

Process ID (pid) – isolates process IDs.

Network (net) – isolates network devices, ports, etc.

Interprocess Communication (ipc) – isolates System V IPC and POSIX message queues.

UTS – isolates hostname and domain name.

User – isolates user and group IDs.

Linux added two more namespace types in later kernel versions: cgroup (kernel 4.6) and time (kernel 5.6), bringing the total to eight.

Control group (cgroup) – isolates the cgroup root directory.

Time – isolates the system clock.

2. A Simple Example

Using the

unshare

command, we can quickly create isolated environments. The following demonstrates a PID namespace:

<code>unshare --pid --fork --mount-proc /bin/bash</code>

Inside this shell, the process ID of

bash

becomes 1, and processes from the host are invisible.

Running

sleep 1000

inside the namespace and then checking

pstree

on the host shows a separate process tree, confirming that the PID namespace is isolated.

Other namespace experiments can be performed with similar

unshare

commands:

<code>unshare --mount --fork /bin/bash</code>

Creates a mount namespace with independent mount points.

<code>unshare --uts --fork /bin/bash</code>

Isolates the hostname; you can change it with the

hostname

command.

<code>unshare --ipc --fork /bin/bash</code>

Isolates inter‑process communication mechanisms (pipes, signals, shared memory, etc.).

<code>unshare --user -r /bin/bash</code>

Creates a user namespace, allowing separate user accounts that do not interfere with each other.

<code>unshare --net --fork /bin/bash</code>

Isolates network devices, IP addresses, and ports.

End

Through various namespaces, Linux can finely isolate resources, and Docker builds on these mechanisms, adding a central image repository and convenient commands.

Note that CPU and memory resource limits are not handled by namespaces but by cgroups, which will be covered in a future article.

Understanding these low‑level principles helps you master any container technology, whether you continue with Docker or explore other solutions.