1NAMESPACES(7) Linux Programmer's Manual NAMESPACES(7)
2
6 namespaces - overview of Linux namespaces
7
9 A namespace wraps a global system resource in an abstraction that makes
10 it appear to the processes within the namespace that they have their
11 own isolated instance of the global resource. Changes to the global
12 resource are visible to other processes that are members of the names‐
13 pace, but are invisible to other processes. One use of namespaces is
14 to implement containers.
15 Linux provides the following namespaces:
17 Namespace Constant Isolates
19 Cgroup CLONE_NEWCGROUP Cgroup root directory
20 IPC CLONE_NEWIPC System V IPC, POSIX message queues
21 Network CLONE_NEWNET Network devices, stacks, ports, etc.
22 Mount CLONE_NEWNS Mount points
23 PID CLONE_NEWPID Process IDs
24 User CLONE_NEWUSER User and group IDs
25 UTS CLONE_NEWUTS Hostname and NIS domain name
26 This page describes the various namespaces and the associated /proc
28 files, and summarizes the APIs for working with namespaces.
29 The namespaces API
31 As well as various /proc files described below, the namespaces API
32 includes the following system calls:
33 clone(2)
35 The clone(2) system call creates a new process. If the flags
36 argument of the call specifies one or more of the CLONE_NEW*
37 flags listed below, then new namespaces are created for each
38 flag, and the child process is made a member of those names‐
39 paces. (This system call also implements a number of features
40 unrelated to namespaces.)
41 setns(2)
43 The setns(2) system call allows the calling process to join an
44 existing namespace. The namespace to join is specified via a
45 file descriptor that refers to one of the /proc/[pid]/ns files
46 described below.
47 unshare(2)
49 The unshare(2) system call moves the calling process to a new
50 namespace. If the flags argument of the call specifies one or
51 more of the CLONE_NEW* flags listed below, then new namespaces
52 are created for each flag, and the calling process is made a
53 member of those namespaces. (This system call also implements a
54 number of features unrelated to namespaces.)
55 Creation of new namespaces using clone(2) and unshare(2) in most cases
57 requires the CAP_SYS_ADMIN capability. User namespaces are the excep‐
58 tion: since Linux 3.8, no privilege is required to create a user names‐
59 pace.
60 The /proc/[pid]/ns/ directory
62 Each process has a /proc/[pid]/ns/ subdirectory containing one entry
63 for each namespace that supports being manipulated by setns(2):
64 $ ls -l /proc/$$/ns
66 total 0
67 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup -> cgroup:[4026531835]
68 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc -> ipc:[4026531839]
69 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt -> mnt:[4026531840]
70 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net -> net:[4026531969]
71 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid -> pid:[4026531836]
72 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children -> pid:[4026531834]
73 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user -> user:[4026531837]
74 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts -> uts:[4026531838]
75 Bind mounting (see mount(2)) one of the files in this directory to
77 somewhere else in the filesystem keeps the corresponding namespace of
78 the process specified by pid alive even if all processes currently in
79 the namespace terminate.
80 Opening one of the files in this directory (or a file that is bind
82 mounted to one of these files) returns a file handle for the corre‐
83 sponding namespace of the process specified by pid. As long as this
84 file descriptor remains open, the namespace will remain alive, even if
85 all processes in the namespace terminate. The file descriptor can be
86 passed to setns(2).
87 In Linux 3.7 and earlier, these files were visible as hard links.
89 Since Linux 3.8, they appear as symbolic links. If two processes are
90 in the same namespace, then the inode numbers of their
91 /proc/[pid]/ns/xxx symbolic links will be the same; an application can
92 check this using the stat.st_ino field returned by stat(2). The con‐
93 tent of this symbolic link is a string containing the namespace type
94 and inode number as in the following example:
95 $ readlink /proc/$$/ns/uts
97 uts:[4026531838]
98 The symbolic links in this subdirectory are as follows:
100 /proc/[pid]/ns/cgroup (since Linux 4.6)
102 This file is a handle for the cgroup namespace of the process.
103 /proc/[pid]/ns/ipc (since Linux 3.0)
105 This file is a handle for the IPC namespace of the process.
106 /proc/[pid]/ns/mnt (since Linux 3.8)
108 This file is a handle for the mount namespace of the process.
109 /proc/[pid]/ns/net (since Linux 3.0)
111 This file is a handle for the network namespace of the process.
112 /proc/[pid]/ns/pid (since Linux 3.8)
114 This file is a handle for the PID namespace of the process.
115 This handle is permanent for the lifetime of the process (i.e.,
116 a process's PID namespace membership never changes).
117 /proc/[pid]/ns/pid_for_children (since Linux 4.12)
119 This file is a handle for the PID namespace of child processes
120 created by this process. This can change as a consequence of
121 calls to unshare(2) and setns(2) (see pid_namespaces(7)), so the
122 file may differ from /proc/[pid]/ns/pid.
123 /proc/[pid]/ns/user (since Linux 3.8)
125 This file is a handle for the user namespace of the process.
126 /proc/[pid]/ns/uts (since Linux 3.0)
128 This file is a handle for the UTS namespace of the process.
129 Permission to dereference or read (readlink(2)) these symbolic links is
131 governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
132 ptrace(2).
133 The /proc/sys/user directory
135 The files in the /proc/sys/user directory (which is present since Linux
136 4.9) expose limits on the number of namespaces of various types that
137 can be created. The files are as follows:
138 max_cgroup_namespaces
140 The value in this file defines a per-user limit on the number of
141 cgroup namespaces that may be created in the user namespace.
142 max_ipc_namespaces
144 The value in this file defines a per-user limit on the number of
145 ipc namespaces that may be created in the user namespace.
146 max_mnt_namespaces
148 The value in this file defines a per-user limit on the number of
149 mount namespaces that may be created in the user namespace.
150 max_net_namespaces
152 The value in this file defines a per-user limit on the number of
153 network namespaces that may be created in the user namespace.
154 max_pid_namespaces
156 The value in this file defines a per-user limit on the number of
157 pid namespaces that may be created in the user namespace.
158 max_user_namespaces
160 The value in this file defines a per-user limit on the number of
161 user namespaces that may be created in the user namespace.
162 max_uts_namespaces
164 The value in this file defines a per-user limit on the number of
165 user namespaces that may be created in the user namespace.
166 Note the following details about these files:
168 * The values in these files are modifiable by privileged processes.
170 * The values exposed by these files are the limits for the user names‐
172 pace in which the opening process resides.
173 * The limits are per-user. Each user in the same user namespace can
175 create namespaces up to the defined limit.
176 * The limits apply to all users, including UID 0.
178 * These limits apply in addition to any other per-namespace limits
180 (such as those for PID and user namespaces) that may be enforced.
181 * Upon encountering these limits, clone(2) and unshare(2) fail with
183 the error ENOSPC.
184 * For the initial user namespace, the default value in each of these
186 files is half the limit on the number of threads that may be created
187 (/proc/sys/kernel/threads-max). In all descendant user namespaces,
188 the default value in each file is MAXINT.
189 * When a namespace is created, the object is also accounted against
191 ancestor namespaces. More precisely:
192 + Each user namespace has a creator UID.
194 + When a namespace is created, it is accounted against the creator
196 UIDs in each of the ancestor user namespaces, and the kernel
197 ensures that the corresponding namespace limit for the creator
198 UID in the ancestor namespace is not exceeded.
199 + The aforementioned point ensures that creating a new user names‐
201 pace cannot be used as a means to escape the limits in force in
202 the current user namespace.
203 Cgroup namespaces (CLONE_NEWCGROUP)
205 See cgroup_namespaces(7).
206 IPC namespaces (CLONE_NEWIPC)
208 IPC namespaces isolate certain IPC resources, namely, System V IPC
209 objects (see svipc(7)) and (since Linux 2.6.30) POSIX message queues
210 (see mq_overview(7)). The common characteristic of these IPC mecha‐
211 nisms is that IPC objects are identified by mechanisms other than
212 filesystem pathnames.
213 Each IPC namespace has its own set of System V IPC identifiers and its
215 own POSIX message queue filesystem. Objects created in an IPC names‐
216 pace are visible to all other processes that are members of that names‐
217 pace, but are not visible to processes in other IPC namespaces.
218 The following /proc interfaces are distinct in each IPC namespace:
220 * The POSIX message queue interfaces in /proc/sys/fs/mqueue.
222 * The System V IPC interfaces in /proc/sys/kernel, namely: msgmax,
224 msgmnb, msgmni, sem, shmall, shmmax, shmmni, and shm_rmid_forced.
225 * The System V IPC interfaces in /proc/sysvipc.
227 When an IPC namespace is destroyed (i.e., when the last process that is
229 a member of the namespace terminates), all IPC objects in the namespace
230 are automatically destroyed.
231 Use of IPC namespaces requires a kernel that is configured with the
233 CONFIG_IPC_NS option.
234 Network namespaces (CLONE_NEWNET)
236 See network_namespaces(7).
237 Mount namespaces (CLONE_NEWNS)
239 See mount_namespaces(7).
240 PID namespaces (CLONE_NEWPID)
242 See pid_namespaces(7).
243 User namespaces (CLONE_NEWUSER)
245 See user_namespaces(7).
246 UTS namespaces (CLONE_NEWUTS)
248 UTS namespaces provide isolation of two system identifiers: the host‐
249 name and the NIS domain name. These identifiers are set using sethost‐
250 name(2) and setdomainname(2), and can be retrieved using uname(2),
251 gethostname(2), and getdomainname(2).
252 Use of UTS namespaces requires a kernel that is configured with the
254 CONFIG_UTS_NS option.
255
257 See clone(2) and user_namespaces(7).
258
260 nsenter(1), readlink(1), unshare(1), clone(2), ioctl_ns(2), setns(2),
261 unshare(2), proc(5), capabilities(7), cgroup_namespaces(7), cgroups(7),
262 credentials(7), network_namespaces(7), pid_namespaces(7), user_names‐
263 paces(7), lsns(8), switch_root(8)
264
266 This page is part of release 4.15 of the Linux man-pages project. A
267 description of the project, information about reporting bugs, and the
268 latest version of this page, can be found at
269 https://www.kernel.org/doc/man-pages/.
270Linux 2018-02-02 NAMESPACES(7)