Linux Namespaces
External
Internal
Overview
Namespaces enable creating an abstraction of a particular global system resource, making it appear as a separated instance to processes within a specific namespace. As result, several containers can use the same resource simultaneously without collisions.
Namespace Types
Mount Namespaces
The mount namespaces isolate the set of filesystem mount points seen by a group of processes. Processes in different mount namespaces can have different views of the filesystem hierarchy. mount()/umount() do not operate on a global set of mount points anymore, and instead they perform operations that affect just the mount namespace associated with the container process.
PID Namespaces
The PID namespace provides separation of processes. It removes the view of the system processes, and allows process IDs to be reused, including pid 1. Also, each container has its own unique /proc directory. The container is only aware of its own native processes and cannot "see" the processes running in different parts of the system. The host operating system is aware of processes running inside of the container, but it assigns different global PIDs.
UTS Namespaces
The UTS namespace is for setting the hostname and the domain that is visible to running processes in that namespace. Each container can have its own hostname.
IPC Namespaces
The IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues.
Network Namespaces
The network namespaces provide isolation of the network controller, system resources associated with networking, firewall and routing tables. Each network namespace has its own routing table. Each network namespace has its own complete TCP and UDP port ranges. This allows the containers to use separate virtual network stacks, loopback devices and process space.
Alos see:
User Namespaces
The user namespace allows specification of a range of UIDs dedicated to the container. Consequently, a process can have full root privileges for operations inside the container, and at the same time be unprivileged for operations outside the container.