Unlocking Linux Namespaces: How Docker Leverages Classic Isolation Techniques

A student once compared a host machine to a large house, with Docker dividing it into many small compartments, each with its own bathroom, bed, and TV.

Linux provides comprehensive isolation mechanisms so that each compartment operates independently, even if neighboring compartments are busy.

Docker achieves this isolation using three classic Linux technologies: chroot, namespaces, and cgroups. This article focuses on namespaces, the fundamental element of container isolation.

Linux kernel defines up to eight types of namespaces, each isolating a specific resource.

1. The 8 Namespace Types

Linux supports the following namespaces, which can be listed with the unshare command or by reading man unshare:

Mount (mnt) – isolates mount points.

Process ID (pid) – isolates process IDs.

Network (net) – isolates network devices, ports, etc.

Interprocess Communication (ipc) – isolates System V IPC and POSIX message queues.

UTS – isolates hostname and domain name.

User – isolates user and group IDs.

Linux added two more namespace types in later kernel versions: cgroup (kernel 4.6) and time (kernel 5.6), bringing the total to eight.

Control group (cgroup) – isolates the cgroup root directory.

Time – isolates the system clock.

2. A Simple Example

Using the unshare command, we can quickly create isolated environments. The following demonstrates a PID namespace: unshare --pid --fork --mount-proc /bin/bash Inside this shell, the process ID of bash becomes 1, and processes from the host are invisible.

Running sleep 1000 inside the namespace and then checking pstree on the host shows a separate process tree, confirming that the PID namespace is isolated.

Other namespace experiments can be performed with similar unshare commands: unshare --mount --fork /bin/bash Creates a mount namespace with independent mount points. unshare --uts --fork /bin/bash Isolates the hostname; you can change it with the hostname command. unshare --ipc --fork /bin/bash Isolates inter‑process communication mechanisms (pipes, signals, shared memory, etc.). unshare --user -r /bin/bash Creates a user namespace, allowing separate user accounts that do not interfere with each other. unshare --net --fork /bin/bash Isolates network devices, IP addresses, and ports.

End

Through various namespaces, Linux can finely isolate resources, and Docker builds on these mechanisms, adding a central image repository and convenient commands.

Note that CPU and memory resource limits are not handled by namespaces but by cgroups, which will be covered in a future article.

Understanding these low‑level principles helps you master any container technology, whether you continue with Docker or explore other solutions.