The magical world of containers — Linux background — Namespace

Photo by Guillaume Bolduc on Unsplash

Anyone in my LinkedIn network knows last year I became a Certified Kubernetes Application Developer. After about 4 years working actively on Kubernetes day by day, this certification was a great recognition of my studies.
This is why I decided to start a new post series, describing what I’ve learned about containers and their use cases. Topics will be:

* Basic concepts
* Use cases
* Unix background
* Namespaces
* Control Groups
* chroot
* Implementations
* Docker
* containerd
* Orchestration and Docker Swarm
* Kubernetes
* Architecture
* Objects
* CLI
* Cloud Foundry
* Architecture
* Application development
* CLI
* OpenShift
* Architecture
* Objects
* CLI

Before starting, I would add a caveat: this is what I understood after studying on books and on the job, but could include lots of misunderstanding, so please use those posts just a starting point to deepen your knowledge, starting your own learning roadmap (and eventually point me to the misunderstandings)!

How a container achieve resource isolation? There are some Linux features used by containerization in order to achieve this goal.
First of all, let’s focus on namespaces.

As Wikipedia says, namespace is a Linux kernel’s feature that allows to partition kernel resources. Im that way, a processes’ set sees one set of resources while another processes’ set sees a different set of resources.

The idea of namespace is common in programming world (e.g. in XML, C#, the packages in Java, etc.) and helps programmers to group commands in order to isolate themselves. Same isolation is offered by Linux namespace, but a resource level.

Since kernel version 4.10, there are 7 kinds of namespaces.

  • Segregation by process id (PID)
  • Segregation by network stack
  • Segregation by cgroup root directory
  • Segregation by mount table
  • Segregation by hostname and domain name
  • Processes could communicate each other via IPC into namespace
  • Segregation by user ID and group ID

Summarising what said in this blog post from Medium, without Linux namespace, containers cannot exists.

Without namespaces, a process running in container A could, for example, umountan important filesystem in container B, or change the hostname of container C, or remove a network interface from container D. By namespacing these resources, the process in container A isn’t even aware that the processes in containers B, C and D exist.

As listed in this post, one could list all namespaces existing in an operating system using lsns command (into util-linux package).

Originally published at https://gabriele-decapoa.github.io.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gabriele de Capoa

Gabriele de Capoa

Cloud software engineer, wanna-be data scientist, former Scrum Master. Agile, DevOps, Kubernetes and SQL are my top topics.