A bit of namespac es
While this month’s Administeria focuses on cgroups, we felt it would be unfair to mention Docker but ignore namespaces altogether. So here is a quick recap. Just like cgroups, namespaces in Linux come in many flavours. Many of us have heard about networking namespaces. They’re a popular way to have separate networking stacks on a single box. This includes IPv4 and IPv6 stacks so you may have several 192.168.0.1 addresses assigned, meaning different things to different processes. Typically, you create new networking namespaces with ip
netns create and use ip netns exec to run a command within the namespace. A common approach is to create a virtual Ethernet (veth) pair and assign one end to the namespace while leaving another to the host (the initial network namespace).
Other namespaces exist as well. With mount namespace, you can create separate root filesystem trees, possibly with some shared directories. User namespaces are what makes root user in a container different from the root user in the system, which is crucial for security. With UTS namespaces, you can isolate changes you make to the hostname. IPC namespace protects message queues, semaphores and alike, and we’ve already mentioned PID namespace in the main text. Last but not least, there’s a cgroup namespace, which creates a new virtual root cgroup for a process. This way, host management details aren’t revealed to an unprivileged container.