The magical world of containers — Linux background — Namespace
Anyone in my LinkedIn network knows last year I became a Certified Kubernetes Application Developer. After about 4 years working actively on Kubernetes day by day, this certification was a great recognition of my studies.
This is why I decided to start a new post series, describing what I’ve learned about containers and their use cases. Topics will be:
* Basic concepts
* Use cases
* Unix background
* Control Groups
* Orchestration and Docker Swarm
* Cloud Foundry
* Application development
Before starting, I would add a caveat: this is what I understood after studying on books and on the job, but could include lots of misunderstanding, so please use those posts just a starting point to deepen your knowledge, starting your own learning roadmap (and eventually point me to the misunderstandings)!
How a container achieve resource isolation? There are some Linux features used by containerization in order to achieve this goal.
First of all, let’s focus on namespaces.
As Wikipedia says, namespace is a Linux kernel’s feature that allows to partition kernel resources. Im that way, a processes’ set sees one set of resources while another processes’ set sees a different set of resources.
The idea of namespace is common in programming world (e.g. in XML, C#, the packages in Java, etc.) and helps programmers to group commands in order to isolate themselves. Same isolation is offered by Linux namespace, but a resource level.
Since kernel version 4.10, there are 7 kinds of namespaces.
- Segregation by process id (PID)
- Segregation by network stack
- Segregation by
- Segregation by mount table
- Segregation by hostname and domain name
- Processes could communicate each other via IPC into namespace
- Segregation by user ID and group ID
Summarising what said in this blog post from Medium, without Linux namespace, containers cannot exists.
Without namespaces, a process running in container A could, for example,
umountan important filesystem in container B, or change the hostname of container C, or remove a network interface from container D. By namespacing these resources, the process in container A isn’t even aware that the processes in containers B, C and D exist.
As listed in this post, one could list all namespaces existing in an operating system using
lsns command (into
Originally published at https://gabriele-decapoa.github.io.