1. Overview

In this tutorial, we’ll learn about the namespace in Linux. First, we’ll define what a namespace is. Then, we’ll look at the different types of namespaces available in Linux.

Lastly, we’ll look at the lsns and ls commands and see how we can use them to get more information about namespaces.

2. What Is a Namespace?

In Linux, a namespace is a feature that allows processes to use the system resources they need but separately from other processes. A namespace is a way to virtualize a global system resource such that a process that needs it operates in an isolated instance of that resource.

Additionally, a group of resources and processes can refer to the same namespace, but each namespace has individual resources for each. Only processes in the same namespace can identify the changes made in a global resource.

We can create a namespace using the unshare command:

$ sudo unshare --uts /bin/bash
$ hostname [hostname]
$ hostname
$ exit

Here, the unshare command creates the UTS namespace and launches a shell for it. We then proceed to change the hostname and confirm if it’s set. Finally, after verifying the hostname is set, we exit the namespace.

2.1. User Namespace

The user namespace creates an isolated view of user and group IDs. Processes within the user namespace have their own set of user and group IDs through which they get different privileges in different user namespaces.

For example, process A can have a standard unprivileged user ID outside a user namespace. At the same time, process A has a user ID within a user namespace that gives it full privileges for its operation within that user namespace.

2.2. Process ID Namespace

A PID namespace provides an isolated process ID number space. In other words, a process inside a PID namespace can have the same PID in other PID namespaces.

For example, suppose that only a single instance of Firefox can run at a time, but we want to run two of them at the same time. Then, we must isolate Firefox’s PIDs (using a PID namespace) so that each runs simultaneously without being aware of the other.

2.3. Network Namespace

A network namespace provides an isolated network stack. Processes inside a network namespace have their own set of system network resources. These resources include network interfaces, IP addresses, routing tables, and other network-related resources.

Some software does not support multiple features running concurrently. For example, let’s look at an email server that already has port 25 in use. Unlike the PID namespace, even if we isolate the email server’s PID, we won’t be able to run multiple instances on port 25 since it’s still in use.

Instead, we’ll use the network namespace, which will allow processes (in this case, the email server) within the namespace instance to get a new IP address with all the ports. This makes it possible to have multiple versions of email servers listening on port 25.

2.4. Mount Namespace

A mount namespace provides an isolated view of the file system mount points. Processes inside a mount namespace have their own set of mount points (and they cannot view the mount points of different namespaces). As a result, the file system can be mounted in separate locations for unrelated namespaces.

Subsequently, it’s possible to mount and unmount filesystems in a mount namespace without affecting the host’s filesystem. We can allow a mount namespace to see additional filesystem information by mounting portions of the underlying filesystem.

2.5. IPC Namespace

The IPC namespace provides an isolated System V Inter-Process Communication (IPC). IPC handles communication between various processes through shared memory areas, message queues, semaphores, and shared memory segments.

A message queue is a data stream that preserves message boundaries. It allows multiple processes to read and write to the message queue without the processes connecting. Also, shared memory allows multiple processes to get access to the same memory block. This creates a buffer for unconnected processes to communicate.

2.6. UTS Namespace

UTS namespaces provide isolation for the NIS domain name and hostname. Each namespace has its namespace ID (NSID) that identifies it. Processes can join an existing namespace or create a new one using system calls such as clone and unshare.

Namespaces are commonly used in containerization technologies such as Docker and Kubernetes to provide isolated environments for applications.

3. Commands to View Namespaces in Linux

Let’s look at some of the commands and files we can use to view our system namespaces. We’ll look at lsns and the /proc/<PID>/ns directory.

3.1. The lsns Command

The lsns command provides information about all the namespaces in the system. It reads directly from the /proc directory. We need superuser privileges to get the complete information. Otherwise, we’ll get a brief output.

Let’s run lsns:

$ lsns -l
        NS TYPE   NPROCS   PID USER COMMAND
4026531834 time       77  1264 ahao /lib/systemd/systemd --user
4026531835 cgroup     77  1264 ahao /lib/systemd/systemd --user
4026531836 pid        77  1264 ahao /lib/systemd/systemd --user
4026531837 user       77  1264 ahao /lib/systemd/systemd --user
4026531838 uts        77  1264 ahao /lib/systemd/systemd --user
4026531839 ipc        77  1264 ahao /lib/systemd/systemd --user
4026531840 net        77  1264 ahao /lib/systemd/systemd --user
4026531841 mnt        77  1264 ahao /lib/systemd/systemd --user

In this example, lsns displays a list of the currently available namespaces in our system:

  • The ID column shows the ID of the namespace.
  • The USER column shows the owner of the namespace.
  • PID is the ID of the process that created the namespace.
  • The CLONE column displays the clone flags used to create the namespace.
  • Lastly, NEW shows the number of processes currently using the namespace.

If we check the namespace we created, we should see:

$ sudo lsns | grep 'uts'
4026532341 uts         3  2502 root   /bin/bash

If we intend to use lsns in our scripts, we must ensure that we’ve explicitly specified the mode we expect for our output.

Now, let’s look at some of the more common variations of the lsns command. For example, we can use the -t to specify the type of namespace whose information we want to view:

$ lsns -t user
        NS TYPE  NPROCS   PID USER COMMAND
4026531837 user      77  1255 ahao /lib/systemd/systemd --user

Next, let’s use the –output-all option to view all available columns:

$ lsns --output-all | grep 'uts'
4026531838 uts    /proc/1255/ns/uts        78  1255    1 /lib/systemd/systemd --user 1000 ahao           0 4026531837

3.2. Listing the /proc/1/ns Directory

Aside from running the lsns command, we can list the contents of the /proc/1/ns directory using the ls command:

$ sudo ls -lai /proc/1/ns
16348 lrwxrwxrwx 1 root root 0 Apr 17 09:47 cgroup -> 'cgroup:[4026531835]'
75375 lrwxrwxrwx 1 root root 0 Apr 17 10:00 ipc -> 'ipc:[4026531839]'
20376 lrwxrwxrwx 1 root root 0 Apr 17 09:48 mnt -> 'mnt:[4026531841]'
75373 lrwxrwxrwx 1 root root 0 Apr 17 10:00 net -> 'net:[4026531840]'
75376 lrwxrwxrwx 1 root root 0 Apr 17 10:00 pid -> 'pid:[4026531836]'
75377 lrwxrwxrwx 1 root root 0 Apr 17 10:00 pid_for_children -> 'pid:[4026531836]'
75379 lrwxrwxrwx 1 root root 0 Apr 17 10:00 time -> 'time:[4026531834]'
75380 lrwxrwxrwx 1 root root 0 Apr 17 10:00 time_for_children -> 'time:[4026531834]'
75378 lrwxrwxrwx 1 root root 0 Apr 17 10:00 user -> 'user:[4026531837]'
75374 lrwxrwxrwx 1 root root 0 Apr 17 10:00 uts -> 'uts:[4026531838]'

In this example, we’ve used the init PID (1). The command gives us a display of the attached namespaces as a list with their inode numbers. Listing the contents of the /proc/1/ns directory gives us information about the namespaces of PID 1 (the init process). From this example, we see that the init process has ten namespaces.

Apart from lsns and listing the /proc/<PID>/ns directory, we can also use ip netns list to get network namespace information. Upon running it, if there’s no output displayed, then the network namespace isn’t defined.

4. Conclusion

In this article, we’ve discussed Linux namespaces. Simply put, a namespace is a way to isolate system resources such that a process can use the system resources in its own environment. We mentioned how to create a namespace using the unshare command. Further, we discussed the types of namespaces we have in Linux. Lastly, we looked at the commands we can use to view namespaces.

Namespaces are an essential feature of Linux that improve system security, efficiency, and scalability. In addition, they allow for better resource utilization and provide a robust foundation for building powerful and flexible virtualization solutions. For instance, technologies like containers (with tools like Kubernetes and Docker) have made it possible to run applications in isolated environments.

Comments are closed on this article!