Linux Namespaces

Namespaces has been brought to Linux kernel in version 3.8

Namespaces provide

isolation so that other pieces of the system remain unaffected by whatever is within the namespace. Docker uses namespaces of various kinds to provide the isolation that containers need in order to remain portable and refrain from affecting the remainder of the host system

Namespaces in Linux kernel (6 ns):

• User :- (1.12+ experimental) map container users to host users. This can break other isolation items; allows for 32 nested mappings
• PID :- Process ID - container encapsulate everything into a single process; provides processes with independent set of process IDs (PIDs); allow to avoid PID conflicts
• Mount - controls volume mounts visible to each container; similar to chroot
• IPC :- Inter-Process Communication - eg. swarm services allowed to communicate with containers but not outside; isolates system resources from a process, while giving processes crested IPC namespace visibility to each other allowing for interprocess communication
• Network - allows containers to have its own network stack; eg. ips, routing tables, fw rules, network devices
• UTS :- Unix Time Sharing namespace, allows a single system to appear to have a different host and domain names to different processes. This namespace determines what hostname and domain name the process running inside that namespace sees.

Control Groups

Control Groups (Cgroups)

provide resource limitation and reporting capability within the container space. They allow for granular control over what host resources are allocated to container/s and when they are allocated. It's Linux kernel feature that limits the resource usage of a process or group of processes.

Common Control Groups

• CPU
• Memory
• Network Bandwidth
• Disk
• Priority