1NAMESPACES(7) Linux Programmer's Manual NAMESPACES(7)
2
6 namespaces - overview of Linux namespaces
7
9 A namespace wraps a global system resource in an abstraction that makes
10 it appear to the processes within the namespace that they have their
11 own isolated instance of the global resource. Changes to the global
12 resource are visible to other processes that are members of the names‐
13 pace, but are invisible to other processes. One use of namespaces is
14 to implement containers.
15 Linux provides the following namespaces:
17 Namespace Constant Isolates
19 Cgroup CLONE_NEWCGROUP Cgroup root directory
20 IPC CLONE_NEWIPC System V IPC, POSIX message queues
21 Network CLONE_NEWNET Network devices, stacks, ports, etc.
22 Mount CLONE_NEWNS Mount points
23 PID CLONE_NEWPID Process IDs
24 User CLONE_NEWUSER User and group IDs
25 UTS CLONE_NEWUTS Hostname and NIS domain name
26 This page describes the various namespaces and the associated /proc
28 files, and summarizes the APIs for working with namespaces.
29 The namespaces API
31 As well as various /proc files described below, the namespaces API
32 includes the following system calls:
33 clone(2)
35 The clone(2) system call creates a new process. If the flags
36 argument of the call specifies one or more of the CLONE_NEW*
37 flags listed below, then new namespaces are created for each
38 flag, and the child process is made a member of those names‐
39 paces. (This system call also implements a number of features
40 unrelated to namespaces.)
41 setns(2)
43 The setns(2) system call allows the calling process to join an
44 existing namespace. The namespace to join is specified via a
45 file descriptor that refers to one of the /proc/[pid]/ns files
46 described below.
47 unshare(2)
49 The unshare(2) system call moves the calling process to a new
50 namespace. If the flags argument of the call specifies one or
51 more of the CLONE_NEW* flags listed below, then new namespaces
52 are created for each flag, and the calling process is made a
53 member of those namespaces. (This system call also implements a
54 number of features unrelated to namespaces.)
55 Creation of new namespaces using clone(2) and unshare(2) in most cases
57 requires the CAP_SYS_ADMIN capability. User namespaces are the excep‐
58 tion: since Linux 3.8, no privilege is required to create a user names‐
59 pace.
60 The /proc/[pid]/ns/ directory
62 Each process has a /proc/[pid]/ns/ subdirectory containing one entry
63 for each namespace that supports being manipulated by setns(2):
64 $ ls -l /proc/$$/ns
66 total 0
67 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup -> cgroup:[4026531835]
68 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc -> ipc:[4026531839]
69 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt -> mnt:[4026531840]
70 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net -> net:[4026531969]
71 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid -> pid:[4026531836]
72 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children -> pid:[4026531834]
73 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user -> user:[4026531837]
74 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts -> uts:[4026531838]
75 Bind mounting (see mount(2)) one of the files in this directory to
77 somewhere else in the filesystem keeps the corresponding namespace of
78 the process specified by pid alive even if all processes currently in
79 the namespace terminate.
80 Opening one of the files in this directory (or a file that is bind
82 mounted to one of these files) returns a file handle for the corre‐
83 sponding namespace of the process specified by pid. As long as this
84 file descriptor remains open, the namespace will remain alive, even if
85 all processes in the namespace terminate. The file descriptor can be
86 passed to setns(2).
87 In Linux 3.7 and earlier, these files were visible as hard links.
89 Since Linux 3.8, they appear as symbolic links. If two processes are
90 in the same namespace, then the device IDs and inode numbers of their
91 /proc/[pid]/ns/xxx symbolic links will be the same; an application can
92 check this using the stat.st_dev and stat.st_ino fields returned by
93 stat(2). The content of this symbolic link is a string containing the
94 namespace type and inode number as in the following example:
95 $ readlink /proc/$$/ns/uts
97 uts:[4026531838]
98 The symbolic links in this subdirectory are as follows:
100 /proc/[pid]/ns/cgroup (since Linux 4.6)
102 This file is a handle for the cgroup namespace of the process.
103 /proc/[pid]/ns/ipc (since Linux 3.0)
105 This file is a handle for the IPC namespace of the process.
106 /proc/[pid]/ns/mnt (since Linux 3.8)
108 This file is a handle for the mount namespace of the process.
109 /proc/[pid]/ns/net (since Linux 3.0)
111 This file is a handle for the network namespace of the process.
112 /proc/[pid]/ns/pid (since Linux 3.8)
114 This file is a handle for the PID namespace of the process.
115 This handle is permanent for the lifetime of the process (i.e.,
116 a process's PID namespace membership never changes).
117 /proc/[pid]/ns/pid_for_children (since Linux 4.12)
119 This file is a handle for the PID namespace of child processes
120 created by this process. This can change as a consequence of
121 calls to unshare(2) and setns(2) (see pid_namespaces(7)), so the
122 file may differ from /proc/[pid]/ns/pid. The symbolic link
123 gains a value only after the first child process is created in
124 the namespace. (Beforehand, readlink(2) of the symbolic link
125 will return an empty buffer.)
126 /proc/[pid]/ns/user (since Linux 3.8)
128 This file is a handle for the user namespace of the process.
129 /proc/[pid]/ns/uts (since Linux 3.0)
131 This file is a handle for the UTS namespace of the process.
132 Permission to dereference or read (readlink(2)) these symbolic links is
134 governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
135 ptrace(2).
136 The /proc/sys/user directory
138 The files in the /proc/sys/user directory (which is present since Linux
139 4.9) expose limits on the number of namespaces of various types that
140 can be created. The files are as follows:
141 max_cgroup_namespaces
143 The value in this file defines a per-user limit on the number of
144 cgroup namespaces that may be created in the user namespace.
145 max_ipc_namespaces
147 The value in this file defines a per-user limit on the number of
148 ipc namespaces that may be created in the user namespace.
149 max_mnt_namespaces
151 The value in this file defines a per-user limit on the number of
152 mount namespaces that may be created in the user namespace.
153 max_net_namespaces
155 The value in this file defines a per-user limit on the number of
156 network namespaces that may be created in the user namespace.
157 max_pid_namespaces
159 The value in this file defines a per-user limit on the number of
160 pid namespaces that may be created in the user namespace.
161 max_user_namespaces
163 The value in this file defines a per-user limit on the number of
164 user namespaces that may be created in the user namespace.
165 max_uts_namespaces
167 The value in this file defines a per-user limit on the number of
168 user namespaces that may be created in the user namespace.
169 Note the following details about these files:
171 * The values in these files are modifiable by privileged processes.
173 * The values exposed by these files are the limits for the user names‐
175 pace in which the opening process resides.
176 * The limits are per-user. Each user in the same user namespace can
178 create namespaces up to the defined limit.
179 * The limits apply to all users, including UID 0.
181 * These limits apply in addition to any other per-namespace limits
183 (such as those for PID and user namespaces) that may be enforced.
184 * Upon encountering these limits, clone(2) and unshare(2) fail with
186 the error ENOSPC.
187 * For the initial user namespace, the default value in each of these
189 files is half the limit on the number of threads that may be created
190 (/proc/sys/kernel/threads-max). In all descendant user namespaces,
191 the default value in each file is MAXINT.
192 * When a namespace is created, the object is also accounted against
194 ancestor namespaces. More precisely:
195 + Each user namespace has a creator UID.
197 + When a namespace is created, it is accounted against the creator
199 UIDs in each of the ancestor user namespaces, and the kernel
200 ensures that the corresponding namespace limit for the creator
201 UID in the ancestor namespace is not exceeded.
202 + The aforementioned point ensures that creating a new user names‐
204 pace cannot be used as a means to escape the limits in force in
205 the current user namespace.
206 Cgroup namespaces (CLONE_NEWCGROUP)
208 See cgroup_namespaces(7).
209 IPC namespaces (CLONE_NEWIPC)
211 IPC namespaces isolate certain IPC resources, namely, System V IPC
212 objects (see svipc(7)) and (since Linux 2.6.30) POSIX message queues
213 (see mq_overview(7)). The common characteristic of these IPC mecha‐
214 nisms is that IPC objects are identified by mechanisms other than
215 filesystem pathnames.
216 Each IPC namespace has its own set of System V IPC identifiers and its
218 own POSIX message queue filesystem. Objects created in an IPC names‐
219 pace are visible to all other processes that are members of that names‐
220 pace, but are not visible to processes in other IPC namespaces.
221 The following /proc interfaces are distinct in each IPC namespace:
223 * The POSIX message queue interfaces in /proc/sys/fs/mqueue.
225 * The System V IPC interfaces in /proc/sys/kernel, namely: msgmax,
227 msgmnb, msgmni, sem, shmall, shmmax, shmmni, and shm_rmid_forced.
228 * The System V IPC interfaces in /proc/sysvipc.
230 When an IPC namespace is destroyed (i.e., when the last process that is
232 a member of the namespace terminates), all IPC objects in the namespace
233 are automatically destroyed.
234 Use of IPC namespaces requires a kernel that is configured with the
236 CONFIG_IPC_NS option.
237 Network namespaces (CLONE_NEWNET)
239 See network_namespaces(7).
240 Mount namespaces (CLONE_NEWNS)
242 See mount_namespaces(7).
243 PID namespaces (CLONE_NEWPID)
245 See pid_namespaces(7).
246 User namespaces (CLONE_NEWUSER)
248 See user_namespaces(7).
249 UTS namespaces (CLONE_NEWUTS)
251 UTS namespaces provide isolation of two system identifiers: the host‐
252 name and the NIS domain name. These identifiers are set using sethost‐
253 name(2) and setdomainname(2), and can be retrieved using uname(2),
254 gethostname(2), and getdomainname(2).
255 Use of UTS namespaces requires a kernel that is configured with the
257 CONFIG_UTS_NS option.
258
260 See clone(2) and user_namespaces(7).
261
263 nsenter(1), readlink(1), unshare(1), clone(2), ioctl_ns(2), setns(2),
264 unshare(2), proc(5), capabilities(7), cgroup_namespaces(7), cgroups(7),
265 credentials(7), network_namespaces(7), pid_namespaces(7), user_names‐
266 paces(7), lsns(8), switch_root(8)
267
269 This page is part of release 4.16 of the Linux man-pages project. A
270 description of the project, information about reporting bugs, and the
271 latest version of this page, can be found at
272 https://www.kernel.org/doc/man-pages/.
273Linux 2018-02-02 NAMESPACES(7)