Let's start by running man namespaces
Name:
namespaces - overview of Linux namespaces
Description:
A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the
namespace that they have their own isolated instance of the global resource. Changes to the global resource
are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers.
So Wtf is namespaces?
Namespaces (ns for short) is a Linux kernel feature that allows creating a logical view of system resources that's different from the physical resources a system has. This is the core idea of Containers like docker, rkt and LXC.
A simple idea of how Namespaces work can be derived backward from it's applications. Let's take a docker container that runs a Nodejs server. If you do docker exec -it <container name> /bin/bash
and then ps aux
you'll find processes running into container having PIDs 1,2,3. Which usually collides with running ps aux
on your terminal. This is possible because of one of Linux namespaces, the PID namespace. It isolates the process ID number space. This means two processes on the same host can have the same PID if they are on different PID namespaces.
This concept of resource isolation is really important in containers. Imagine running two containers on a host machine without this isolation. ContainerA could simply kill -9 $PID
from ContainerB or unmount
a disk that ContainerC depends on. BONUS: MNT namespace.
It's worth nothing that namespaces don't limit resource usage. It controls visibility of resources between processes. BONUS#2: Wtf is cgroups?
7 namespaces of Ice and Fire
- MNT - isolate filesystem mount points
- UTS - isolate hostname and domainname
- IPC - isolate interprocess communication (IPC) resources
- PID - isolate the PID number space
- NET - isolate network interfaces
- USR - isolate UID/GID number spaces
- Cgroup - isolate cgroup root directory