1 .\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
2 .\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
4 .\" %%%LICENSE_START(VERBATIM)
5 .\" Permission is granted to make and distribute verbatim copies of this
6 .\" manual provided the copyright notice and this permission notice are
7 .\" preserved on all copies.
9 .\" Permission is granted to copy and distribute modified versions of this
10 .\" manual under the conditions for verbatim copying, provided that the
11 .\" entire resulting derived work is distributed under the terms of a
12 .\" permission notice identical to this one.
14 .\" Since the Linux kernel and libraries are constantly changing, this
15 .\" manual page may be incorrect or out-of-date. The author(s) assume no
16 .\" responsibility for errors or omissions, or for damages resulting from
17 .\" the use of the information contained herein. The author(s) may not
18 .\" have taken the same level of care in the production of this manual,
19 .\" which is licensed free of charge, as they might when working
22 .\" Formatted or processed versions of this manual, if unaccompanied by
23 .\" the source, must acknowledge the copyright and authors of this work.
27 .TH NAMESPACES 7 2016-07-17 "Linux" "Linux Programmer's Manual"
29 namespaces \- overview of Linux namespaces
31 A namespace wraps a global system resource in an abstraction that
32 makes it appear to the processes within the namespace that they
33 have their own isolated instance of the global resource.
34 Changes to the global resource are visible to other processes
35 that are members of the namespace, but are invisible to other processes.
36 One use of namespaces is to implement containers.
38 Linux provides the following namespaces:
42 Namespace Constant Isolates
43 Cgroup CLONE_NEWCGROUP Cgroup root directory
44 IPC CLONE_NEWIPC System V IPC, POSIX message queues
45 Network CLONE_NEWNET Network devices, stacks, ports, etc.
46 Mount CLONE_NEWNS Mount points
47 PID CLONE_NEWPID Process IDs
48 User CLONE_NEWUSER User and group IDs
49 UTS CLONE_NEWUTS Hostname and NIS domain name
52 This page describes the various namespaces and the associated
54 files, and summarizes the APIs for working with namespaces.
56 .\" ==================== The namespaces API ====================
58 .SS The namespaces API
61 files described below,
62 the namespaces API includes the following system calls:
67 system call creates a new process.
70 argument of the call specifies one or more of the
72 flags listed below, then new namespaces are created for each flag,
73 and the child process is made a member of those namespaces.
74 (This system call also implements a number of features
75 unrelated to namespaces.)
80 system call allows the calling process to join an existing namespace.
81 The namespace to join is specified via a file descriptor that refers to
84 files described below.
89 system call moves the calling process to a new namespace.
92 argument of the call specifies one or more of the
94 flags listed below, then new namespaces are created for each flag,
95 and the calling process is made a member of those namespaces.
96 (This system call also implements a number of features
97 unrelated to namespaces.)
99 Creation of new namespaces using
103 in most cases requires the
106 User namespaces are the exception: since Linux 3.8,
107 no privilege is required to create a user namespace.
109 .\" ==================== The /proc/[pid]/ns/ directory ====================
111 .SS The /proc/[pid]/ns/ directory
114 .\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
115 subdirectory containing one entry for each namespace that
116 supports being manipulated by
121 $ \fBls -l /proc/$$/ns\fP
123 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 cgroup -> cgroup:[4026531835]
124 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc -> ipc:[4026531839]
125 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt -> mnt:[4026531840]
126 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net -> net:[4026531969]
127 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid -> pid:[4026531836]
128 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user -> user:[4026531837]
129 lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts -> uts:[4026531838]
135 one of the files in this directory
136 to somewhere else in the filesystem keeps
137 the corresponding namespace of the process specified by
139 alive even if all processes currently in the namespace terminate.
141 Opening one of the files in this directory
142 (or a file that is bind mounted to one of these files)
143 returns a file handle for
144 the corresponding namespace of the process specified by
146 As long as this file descriptor remains open,
147 the namespace will remain alive,
148 even if all processes in the namespace terminate.
149 The file descriptor can be passed to
152 In Linux 3.7 and earlier, these files were visible as hard links.
153 Since Linux 3.8, they appear as symbolic links.
154 If two processes are in the same namespace, then the inode numbers of their
155 .IR /proc/[pid]/ns/xxx
156 symbolic links will be the same; an application can check this using the
160 The content of this symbolic link is a string containing
161 the namespace type and inode number as in the following example:
165 $ \fBreadlink /proc/$$/ns/uts\fP
170 The symbolic links in this subdirectory are as follows:
172 .IR /proc/[pid]/ns/cgroup " (since Linux 4.6)"
173 This file is a handle for the cgroup namespace of the process.
175 .IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
176 This file is a handle for the IPC namespace of the process.
178 .IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
179 .\" commit 8823c079ba7136dc1948d6f6dcb5f8022bde438e
180 This file is a handle for the mount namespace of the process.
182 .IR /proc/[pid]/ns/net " (since Linux 3.0)"
183 This file is a handle for the network namespace of the process.
185 .IR /proc/[pid]/ns/pid " (since Linux 3.8)"
186 .\" commit 57e8391d327609cbf12d843259c968b9e5c1838f
187 This file is a handle for the PID namespace of the process.
189 .IR /proc/[pid]/ns/user " (since Linux 3.8)"
190 .\" commit cde1975bc242f3e1072bde623ef378e547b73f91
191 This file is a handle for the user namespace of the process.
193 .IR /proc/[pid]/ns/uts " (since Linux 3.0)"
194 This file is a handle for the UTS namespace of the process.
196 Permission to dereference or read
198 these symbolic links is governed by a ptrace access mode
199 .B PTRACE_MODE_READ_FSCREDS
203 .\" ==================== Cgroup namespaces ====================
205 .SS Cgroup namespaces (CLONE_NEWCGROUP)
207 .BR cgroup_namespaces (7).
209 .\" ==================== IPC namespaces ====================
211 .SS IPC namespaces (CLONE_NEWIPC)
212 IPC namespaces isolate certain IPC resources,
213 namely, System V IPC objects (see
215 and (since Linux 2.6.30)
216 .\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
217 .\" https://lwn.net/Articles/312232/
218 POSIX message queues (see
219 .BR mq_overview (7)).
220 The common characteristic of these IPC mechanisms is that IPC
221 objects are identified by mechanisms other than filesystem
224 Each IPC namespace has its own set of System V IPC identifiers and
225 its own POSIX message queue filesystem.
226 Objects created in an IPC namespace are visible to all other processes
227 that are members of that namespace,
228 but are not visible to processes in other IPC namespaces.
232 interfaces are distinct in each IPC namespace:
234 The POSIX message queue interfaces in
235 .IR /proc/sys/fs/mqueue .
237 The System V IPC interfaces in
238 .IR /proc/sys/kernel ,
248 .IR shm_rmid_forced .
250 The System V IPC interfaces in
253 When an IPC namespace is destroyed
254 (i.e., when the last process that is a member of the namespace terminates),
255 all IPC objects in the namespace are automatically destroyed.
257 Use of IPC namespaces requires a kernel that is configured with the
261 .\" ==================== Network namespaces ====================
263 .SS Network namespaces (CLONE_NEWNET)
264 Network namespaces provide isolation of the system resources associated
265 with networking: network devices, IPv4 and IPv6 protocol stacks,
266 IP routing tables, firewalls, the
270 directory, port numbers (sockets), and so on.
271 A physical network device can live in exactly one
273 A virtual network device ("veth") pair provides a pipe-like abstraction
274 .\" FIXME . Add pointer to veth(4) page when it is eventually completed
275 that can be used to create tunnels between network namespaces,
276 and can be used to create a bridge to a physical network device
277 in another namespace.
279 When a network namespace is freed
280 (i.e., when the last process in the namespace terminates),
281 its physical network devices are moved back to the
282 initial network namespace (not to the parent of the process).
284 Use of network namespaces requires a kernel that is configured with the
288 .\" ==================== Mount namespaces ====================
290 .SS Mount namespaces (CLONE_NEWNS)
292 .BR mount_namespaces (7).
294 .\" ==================== PID namespaces ====================
296 .SS PID namespaces (CLONE_NEWPID)
298 .BR pid_namespaces (7).
300 .\" ==================== User namespaces ====================
302 .SS User namespaces (CLONE_NEWUSER)
304 .BR user_namespaces (7).
306 .\" ==================== UTS namespaces ====================
308 .SS UTS namespaces (CLONE_NEWUTS)
309 UTS namespaces provide isolation of two system identifiers:
310 the hostname and the NIS domain name.
311 These identifiers are set using
314 .BR setdomainname (2),
315 and can be retrieved using
319 .BR getdomainname (2).
321 Use of UTS namespaces requires a kernel that is configured with the
325 Namespaces are a Linux-specific feature.
328 .BR user_namespaces (7).
337 .BR capabilities (7),
338 .BR cgroup_namespaces (7),
341 .BR pid_namespaces (7),
342 .BR user_namespaces (7),