Linux namespaces are a kernel feature that isolates and virtualizes system resources for a collection of processes. Unlike hardware virtualization, namespaces provide resource abstraction at the operating system level, allowing multiple isolated instances to share the same kernel without interfering with each other's resources. It is the primary mechanism for creating the illusion of a private operating system environment.
The kernel currently supports eight types of namespaces: mnt (mount points), pid (process IDs), net (network stacks), ipc (inter-process communication), uts (hostname/domain), user (UID/GID mappings), cgroup, and time. Each type ensures that a process perceives a private instance of a global resource, such as its own loopback interface or process tree starting with PID 1.
How it works
Isolation is managed via three primary system calls: clone() to create new processes in new namespaces, unshare() to disassociate a process from its current namespace, and setns() to join an existing one. For example, when a container starts, the runtime calls unshare() to detach the process from the host's network and filesystem, providing a clean slate for the application.
This technology is the core building block for container engines like Docker, LXC, and Podman. By combining namespaces with cgroups, Linux enables the creation of lightweight, isolated environments that boot in milliseconds. A key fact: namespaces allow running multiple services on the same port (e.g., port 80) on a single physical host, provided each service resides in its own net namespace.