Linux Security Technologies

Learn how Linux namespaces create isolated environments for containers and how Docker uses them to enhance security and efficiency.

Kernel namespaces

Kernel namespaces, usually shortened to namespaces, are the main technology for building containers. Let's quickly compare namespaces and containers with hypervisors and virtual machines (VM).

Namespaces virtualize operating system constructs such as process trees and filesystems, whereas hypervisors virtualize physical resources such as CPUs and disks. In the VM model, hypervisors create virtual machines by grouping virtual CPUs, virtual disks, and virtual network cards so that every VM looks, smells, and feels like a physical machine. In the container model, namespaces create virtual operating systems (containers) by grouping virtual process trees, virtual filesystems, and virtual network interfaces so that every container looks, smells, and feels exactly like a regular OS.

Namespace security and limitations

At a very high level, namespaces provide lightweight isolation but do not provide a strong security boundary. Compared with VMs, containers are more efficient, but virtual machines are more secure.

Don’t worry, though. Platforms like Docker implement additional security technologies, such as cgroups, capabilities, and seccomp, to improve container security.

Namespaces are a tried and tested technology that’s existed in the Linux kernel for a very long time. However, they were complex and hard to work with until Docker came along and hid all the complexity behind the simple docker run command and a developer-friendly API.

Docker on Linux

At the time of writing, every Docker container gets its own instance of the following namespaces:

  • Process ID (pid)

  • Network (net)

  • Filesystem/mount (mnt)

  • Inter-process Communication (ipc)

  • User (user)

  • UTS (uts)

The figure below shows a single Docker host running two containers. The host OS has its own collection of namespaces we call the root namespaces, and each container has its own collection of equivalent isolated namespaces. Applications in containers think they’re running on their own host and are unaware of the root namespaces or namespaces in other containers.

Get hands-on with 1300+ tech skills courses.