Docker basics | Kernel namespaces

To understand Docker at its core, we need to understand what Kernel namespaces are. Namespaces are the most essential part of what makes up a container.

In the Article we went over the basic building blocks of containers (namespaces, capabilities and cgroups). Namespaces are the most essential part of that as they provide isolation between processes.

If you want to get the most out of this article, I encourage you not just to read it but to follow along on your shell. Linux has an extremely good documentation. All we have to do is open a shell and everything is right at our disposal.

So let’s dive into it. To understand namespaces we open the corresponding man page

man 7 namespaces

The description reads that namespaces isolate system resources for processes. We get a list of all the available namespaces we can use. That list will either show 7 or 8 different namespaces depending on what distro/release you have installed.

As namespaces work on processes let’s have a quick look on what processes are.

man 5 proc

The description tells us that a process is a kernel data structure. Searching for the our keyword “namespace” in that man page will get us a lot of matches. Among other things we will find the following:

/proc/[pid]/ns/ (since Linux 3.0)
 This is a subdirectory containing one entry for each namespace that supports being manipulated by setns(2).  For more information, see namespaces(7).

So besides man 7 namespaces we already know it refers to man 2 setns. Let’s check that out as well:

man 2 setns

Apparently setns is the system call we can use to enter an already existing namespace. This is useful to connect to a container which is already running.But if we want to create some new container we have to create some new namespace first and that is done by the unshare system call that is referenced by man 5 proc as well.

man 2 unshare

Obivously we can not run that system call directly from our shell. We have to write our own C program in order to use it. Definitely that is a fun thing to do and I will write some further articles on that. But for now let’s look for a quicker way.

By looking into the SEE ALSO section we’ll find unshare (1) which refers to the unshare command. Note the distinction: There is an unshare system call unshare(2) and an unshare command unshare(1).

Open the man page of the unshare command to check out how we can use it.

man 1 unshare

Let’s say we want to run a bash shell in its own PID namespace. In order to do that we have to use the -f, -p and --mount-proc options.

unshare -f -p --mount-proc

Check top ps or pstree to see the result. Yes, you just created your own container. It is that simple. The question now may arise what Docker is then. Docker is a framework that creates and manages containers. But Docker is not the container itself. Memorizing all the docker commands helps with using Docker but it doesn’t tell anything about what containers actually are.