Unlock Docker Isolation: Exploring Linux’s 8 Namespace Types

A student compared a host machine to a large house and Docker to N small rooms, each with its own bathroom, bed, and TV, illustrating container isolation.

Linux offers comprehensive isolation mechanisms, and Docker relies on classic technologies such as

chroot

,

namespace

, and

cgroup

. This article focuses on the

namespace

aspect.

Linux kernel provides eight types of namespaces, each isolating resources independently.

1. 8 Types

You can view them with the

unshare

command or by reading

man unshare

.

mnt

– isolates mount points

pid

– isolates process IDs

net

– isolates network devices, ports, etc.

ipc

– isolates System V IPC and POSIX message queues

uts

– isolates hostname and domain name

user

– isolates user and group IDs

Linux added two more namespace types in later kernel versions:

cgroup

(kernel 4.6) and

time

(kernel 5.6), bringing the total to eight.

Control group (cgroup) namespace – isolates cgroup root directory

Time namespace – isolates system time

2. An Example

Using

unshare

, you can quickly create isolated environments. The simplest demonstration uses a

pid

namespace.

In Linux, PID 1 is the

systemd

process. Inside Docker, running

ps

shows only a few processes.

Run the following command to enter an isolated environment with

bash

as the init process:

<code>unshare --pid --fork --mount-proc /bin/bash</code>

The result (see image) shows

bash

as PID 1, while processes from the host and other namespaces are invisible.

Inside the isolated shell, run

sleep 1000

. In another terminal on the host, run

pstree

to see that the sleep process belongs to a different PID namespace, as shown in the following image.

3. Try It Yourself

Create a mount namespace:

<code>unshare --mount --fork /bin/bash</code>

Create a UTS namespace to give the container its own hostname:

<code>unshare --uts --fork /bin/bash</code>

Change the hostname inside with

hostname

.

Create an IPC namespace, which isolates all inter‑process communication mechanisms:

<code>unshare --ipc --fork /bin/bash</code>

Create a user namespace, allowing separate user accounts in each namespace:

<code>unshare --user -r /bin/bash</code>

Create a network namespace to isolate network devices, IP addresses, and ports:

<code>unshare --net --fork /bin/bash</code>

End

Through various namespaces, Linux can finely isolate resources. Docker is essentially “new wine in an old bottle,” adding a central registry and convenient commands on top of these isolation mechanisms.

CPU and memory limits are handled by

cgroups

, not by namespaces; a future article will cover cgroups.

Below is a Docker lifecycle diagram (source: http://docker-saigon.github.io/post/Docker-Internals/). Feel free to contact the author for the image.

Docker tooling is now mature; understanding these low‑level principles helps you master containers, whether using Google’s own solution or continuing with Docker.