Linux namespaces#Process ID (pid)

{{expand section|date=September 2016}}

Linux namespaces were inspired by the wider namespace functionality used heavily throughout Plan 9 from Bell Labs.{{cite web | title=The Use of Name Spaces in Plan 9 | date=1992 | url=http://www.cs.bell-labs.com/sys/doc/names.html | access-date=2016-03-24 | archive-url=https://web.archive.org/web/20140906153815/http://www.cs.bell-labs.com/sys/doc/names.html | archive-date=2014-09-06 | url-status=dead }} The Linux Namespaces originated in 2002 in the 2.4.19 kernel with work on the mount namespace kind. Additional namespaces were added beginning in 2006{{cite web|url=https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=071df104f808b8195c40643dcb4d060681742e29 |title=Linux kernel source tree |publisher=kernel.org |date=2016-10-02}} and continuing into the future.

Adequate containers support functionality was finished in kernel version 3.8{{Cite web |title=LKML: Linus Torvalds: Linux 3.8 |url=https://lkml.org/lkml/2013/2/18/476 |access-date=2024-03-22 |website=lkml.org}}{{Cite web |title=Linux_3.8 - Linux Kernel Newbies |url=https://kernelnewbies.org/Linux_3.8 |access-date=2024-03-22 |website=kernelnewbies.org}} with the introduction of User namespaces.{{Cite web|url=https://lwn.net/Articles/532593/|title = Namespaces in operation, part 5: User namespaces [LWN.net]}}

Since kernel version 5.6, there are 8 kinds of namespaces. Namespace functionality is the same across all kinds: each process is associated with a namespace and can only see or use the resources associated with that namespace, and descendant namespaces where applicable. This way, each process (or process group thereof) can have a unique view on the resources. Which resource is isolated depends on the kind of namespace that has been created for a given process group.

Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace, but mount points created afterwards do not propagate between namespaces (using shared subtrees, it is possible to propagate mount points between namespaces{{cite web|url=https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt |title=Documentation/filesystems/sharedsubtree.txt |date=2016-02-25 |accessdate=2017-03-06}}).

The clone flag used to create a new namespace of this type is CLONE_NEWNS - short for "NEW NameSpace". This term is not descriptive (it does not tell which kind of namespace is to be created) because mount namespaces were the first kind of namespace and designers did not anticipate there being any others.

The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. PID namespaces are nested, meaning when a new process is created it will have a PID for each namespace from its current namespace up to the initial PID namespace. Hence, the initial PID namespace is able to see all processes, albeit with different PIDs than other namespaces will see processes with.

The first process created in a PID namespace is assigned the process ID number 1 and receives most of the same special treatment as the normal init process, most notably that orphaned processes within the namespace are attached to it. This also means that the termination of this PID 1 process will immediately terminate all processes in its PID namespace and any descendants.{{cite web|url=https://lwn.net/Articles/531419/ |title=Namespaces in operation, part 3: PID namespaces |date=2013-01-16 |publisher=lwn.net}}

Network namespaces virtualize the network stack. On creation, a network namespace contains only a loopback interface. Each network interface (physical or virtual) is present in exactly 1 namespace and can be moved between namespaces.

Each namespace will have a private set of IP addresses, its own routing table, socket listing, connection tracking table, firewall, and other network-related resources.

Destroying a network namespace destroys any virtual interfaces within it and moves any physical interfaces within it back to the initial network namespace.

IPC namespaces isolate processes from SysV style inter-process communication. This prevents processes in different IPC namespaces from using, for example, the SHM family of functions to establish a range of shared memory between the two processes. Instead, each process will be able to use the same identifiers for a shared memory region and produce two such distinct regions.

UTS (UNIX Time-Sharing) namespaces allow a single system to appear to have different host and domain names to different processes. When a process creates a new UTS namespace, the hostname and domain of the new UTS namespace are copied from the corresponding values in the caller's UTS namespace.{{Cite web|title=uts_namespaces(7) - Linux manual page|url=https://www.man7.org/linux/man-pages/man7/uts_namespaces.7.html|access-date=2021-02-16|website=www.man7.org}}

User namespaces are a feature to provide both privilege isolation and user identification segregation across multiple sets of processes, available since kernel 3.8.{{Cite web|url=https://lwn.net/Articles/532593/|title = Namespaces in operation, part 5: User namespaces [LWN.net]}} With administrative assistance, it is possible to build a container with seeming administrative rights without actually giving elevated privileges to user processes. Like the PID namespace, user namespaces are nested, and each new user namespace is considered to be a child of the user namespace that created it.

A user namespace contains a mapping table converting user IDs from the container's point of view to the system's point of view. This allows, for example, the root user to have user ID 0 in the container but is actually treated as user ID 1,400,000 by the system for ownership checks. A similar table is used for group ID mappings and ownership checks.

To facilitate privilege isolation of administrative actions, each namespace type is considered owned by a user namespace based on the active user namespace at the moment of creation. A user with administrative privileges in the appropriate user namespace will be allowed to perform administrative actions within that other namespace type. For example, if a process has administrative permission to change the IP address of a network interface, it may do so as long as its own user namespace is the same as (or ancestor of) the user namespace that owns the network namespace. Hence, the initial user namespace has administrative control over all namespace types in the system.{{cite web|url=https://lwn.net/Articles/532593/ |title=Namespaces in operation, part 5: User namespaces |date=2013-02-27 |publisher=lwn.net}}

The cgroup namespace type hides the identity of the control group of which the process is a member. A process in such a namespace, checking which control group any process is part of, would see a path that is actually relative to the control group set at creation time, hiding its true control group position and identity. This namespace type has existed since March 2016 in Linux 4.6.{{cite mailing list |url=https://lkml.org/lkml/2016/3/18/564 |title=[GIT PULL] cgroup namespace support for v4.6-rc1 |mailing-list=lkml |date=2016-03-18 |last=Heo |first=Tejun}}{{cite mailing list |url=https://lkml.org/lkml/2016/3/26/132 |title=Linux 4.6-rc1 |mailing-list=lkml |date=2016-03-26 |last=Torvalds| first=Linus |authorlink=Linus Torvalds}}

The time namespace allows processes to see different system times in a way similar to the UTS namespace. It was proposed in 2018 and was released in Linux 5.6, in March 2020.{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=Time-Namespace-In-Linux-5.6|title=It's Finally Time: The Time Namespace Support Has Been Added To The Linux 5.6 Kernel - Phoronix|website=www.phoronix.com|access-date=2020-03-30}}

The syslog namespace was proposed by Rui Xiang, an engineer at Huawei, but wasn't merged into the Linux kernel.{{Cite web |title=Add namespace support for syslog [LWN.net] |url=https://lwn.net/Articles/562389/ |access-date=2022-07-11 |website=lwn.net}} systemd implemented a similar feature called “journal namespace” in February 2020.{{Cite web |title=journal: add concept of "journal namespaces" by poettering · Pull Request #14178 · systemd/systemd |url=https://github.com/systemd/systemd/pull/14178 |access-date=2022-07-11 |website=GitHub |language=en}}

The kernel assigns each process a symbolic link per namespace kind in /proc//ns/. The inode number pointed to by this symlink is the same for each process in this namespace. This uniquely identifies each namespace by the inode number pointed to by one of its symlinks.

Reading the symlink via readlink returns a string containing the namespace kind name and the inode number of the namespace.

Three syscalls can directly manipulate namespaces:

• Clone, flags to specify which new namespace the new process should be migrated to.
• Unshare, allows a process (or thread) to disassociate parts of its execution context that are currently being shared with other processes (or threads)
• Setns, enters the namespace specified by a file descriptor.

If a namespace is no longer referenced, it will be deleted, the handling of the contained resource depends on the namespace kind. Namespaces can be referenced in three ways:

1. By a process belonging to the namespace
2. By an open file descriptor to the namespace's file (/proc//ns/)
3. A bind mount of the namespace's file (/proc//ns/)

Various container software use Linux namespaces in combination with cgroups to isolate their processes, including Docker{{cite web|url=https://docs.docker.com/engine/security/security/|title=Docker security |publisher=docker.com |accessdate=2016-03-24}} and LXC.

Other applications, such as Google Chrome make use of namespaces to isolate its own processes which are at risk from attack on the internet.{{cite web|url=https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux_sandboxing.md|title=Chromium Linux Sandboxing |accessdate=2019-12-19}}

There is also an unshare wrapper in util-linux. An example of its use is:

SHELL=/bin/sh unshare --map-root-user --fork --pid chroot "${chrootdir}" "$@"

{{Reflist}}

• [http://man7.org/linux/man-pages/man7/namespaces.7.html namespaces manpage]
• [https://www.kernel.org/doc/html/latest/admin-guide/namespaces/index.html Namespaces — The Linux Kernel documentation]
• [http://www.haifux.org/lectures/299/netLec7.pdf Linux kernel Namespaces and cgroups by Rami Rosen]
• [http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf Namespaces and cgroups, the basis of Linux containers (including cgroups v2) - slides of a talk by Rami Rosen, Netdev 1.1, Seville, Spain (2016)]
• [https://events.static.linuxfound.org/slides/lfcs2010_kolyshkin.pdf Containers and Namespaces in the Linux Kernel by Kir Kolyshkin]

{{Virtualization software}}

{{Linux kernel}}

Category:Interfaces of the Linux kernel

Category:Linux kernel features

Category:Operating system security

Category:Virtualization software for Linux