The magical world of containers — Linux background — Namespace

Photo by Guillaume Bolduc on Unsplash

Anyone in my LinkedIn network knows last year I became a Certified Kubernetes Application Developer. After about 4 years working actively on Kubernetes day by day, this certification was a great recognition of my studies.
This is why I decided to start a new post series, describing what I’ve learned about containers and their use cases. Topics will be:

* Basic concepts
* Use cases
* Unix background
   * Namespaces
   * Control Groups
   * chroot
* Implementations
   * Docker
   * containerd
* Orchestration and Docker Swarm
* Kubernetes
   * Architecture
   * Objects
   * CLI
* Cloud Foundry
   * Architecture
   * Application development
   * CLI
* OpenShift
   * Architecture
   * Objects
   * CLI

Before starting, I would add a caveat: this is what I understood after studying on books and on the job, but could include lots of misunderstanding, so please use those posts just a starting point to deepen your knowledge, starting your own learning roadmap (and eventually point me to the misunderstandings)!

How a container achieve resource isolation? There are some Linux features used by containerization in order to achieve this goal.
First of all, let’s focus on namespaces.

As Wikipedia says, namespace is a Linux kernel’s feature that allows to partition kernel resources. Im that way, a processes’ set sees one set of resources while another processes’ set sees a different set of resources.

The idea of namespace is common in programming world (e.g. in XML, C#, the packages in Java, etc.) and helps programmers to group commands in order to isolate themselves. Same isolation is offered by Linux namespace, but a resource level.

Since kernel version 4.10, there are 7 kinds of namespaces.

• Segregation by process id (PID)
• Segregation by network stack
• Segregation by cgroup root directory
• Segregation by mount table
• Segregation by hostname and domain name
• Processes could communicate each other via IPC into namespace
• Segregation by user ID and group ID

Summarising what said in this blog post from Medium, without Linux namespace, containers cannot exists.

Without namespaces, a process running in container A could, for example, umountan important filesystem in container B, or change the hostname of container C, or remove a network interface from container D. By namespacing these resources, the process in container A isn’t even aware that the processes in containers B, C and D exist.

As listed in this post, one could list all namespaces existing in an operating system using lsns command (into util-linux package).

Originally published at https://gabriele-decapoa.github.io.