Containers & Namespaces

Module 3.11 — Process isolation, cgroups, overlay filesystems

Linux Namespaces

Host
Container
PIDPID 1
Networketh0: 172.17.0.2
Mount/app (overlay)
UTScontainer-abc
IPCIsolated IPC
Useruid=0 (root)
PID Namespace

Process ID isolation. PID 1 inside = different PID on host.

Container Architecture

Containers are NOT VMs
They share the host kernel. Isolation comes from Linux namespaces + cgroups.
Namespaces: what you can see
Cgroups: what you can use
OverlayFS: filesystem layering
seccomp: syscall filtering

Key Syscalls

clone(CLONE_NEWPID)New PID namespace
clone(CLONE_NEWNET)New network namespace
clone(CLONE_NEWNS)New mount namespace
unshare()Detach from namespace
setns()Join existing namespace
pivot_root()Change root filesystem

Container Networking

Host: eth0 (192.168.1.5)
docker0 bridge (172.17.0.1)
veth → 172.17.0.2
veth → 172.17.0.3

Namespace Isolation

See how each namespace type isolates container from host.