1 .\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com>
2 .\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com>
4 .\" %%%LICENSE_START(VERBATIM)
5 .\" Permission is granted to make and distribute verbatim copies of this
6 .\" manual provided the copyright notice and this permission notice are
7 .\" preserved on all copies.
9 .\" Permission is granted to copy and distribute modified versions of this
10 .\" manual under the conditions for verbatim copying, provided that the
11 .\" entire resulting derived work is distributed under the terms of a
12 .\" permission notice identical to this one.
14 .\" Since the Linux kernel and libraries are constantly changing, this
15 .\" manual page may be incorrect or out-of-date. The author(s) assume no
16 .\" responsibility for errors or omissions, or for damages resulting from
17 .\" the use of the information contained herein. The author(s) may not
18 .\" have taken the same level of care in the production of this manual,
19 .\" which is licensed free of charge, as they might when working
22 .\" Formatted or processed versions of this manual, if unaccompanied by
23 .\" the source, must acknowledge the copyright and authors of this work.
27 .TH NAMESPACES 7 2014-09-21 "Linux" "Linux Programmer's Manual"
29 namespaces \- overview of Linux namespaces
31 A namespace wraps a global system resource in an abstraction that
32 makes it appear to the processes within the namespace that they
33 have their own isolated instance of the global resource.
34 Changes to the global resource are visible to other processes
35 that are members of the namespace, but are invisible to other processes.
36 One use of namespaces is to implement containers.
38 Linux provides the following namespaces:
43 Namespace Constant Isolates
44 IPC CLONE_NEWIPC System V IPC, POSIX message queues
45 Network CLONE_NEWNET Network devices, stacks, ports, etc.
46 Mount CLONE_NEWNS Mount points
47 PID CLONE_NEWPID Process IDs
48 User CLONE_NEWUSER User and group IDs
49 UTS CLONE_NEWUTS Hostname and NIS domain name
52 This page describes the various namespaces and the associated
54 files, and summarizes the APIs for working with namespaces.
56 .\" ==================== The namespaces API ====================
58 .SS The namespaces API
61 files described below,
62 the namespaces API includes the following system calls:
67 system call creates a new process.
70 argument of the call specifies one or more of the
72 flags listed below, then new namespaces are created for each flag,
73 and the child process is made a member of those namespaces.
74 (This system call also implements a number of features
75 unrelated to namespaces.)
80 system call allows the calling process to join an existing namespace.
81 The namespace to join is specified via a file descriptor that refers to
84 files described below.
89 system call moves the calling process to a new namespace.
92 argument of the call specifies one or more of the
94 flags listed below, then new namespaces are created for each flag,
95 and the calling process is made a member of those namespaces.
96 (This system call also implements a number of features
97 unrelated to namespaces.)
99 Creation of new namespaces using
103 in most cases requires the
106 User namespaces are the exception: since Linux 3.8,
107 no privilege is required to create a user namespace.
109 .\" ==================== The /proc/[pid]/ns/ directory ====================
111 .SS The /proc/[pid]/ns/ directory
114 .\" See commit 6b4e306aa3dc94a0545eb9279475b1ab6209a31f
115 subdirectory containing one entry for each namespace that
116 supports being manipulated by
121 $ \fBls -l /proc/$$/ns\fP
123 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 ipc -> ipc:[4026531839]
124 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 mnt -> mnt:[4026531840]
125 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 net -> net:[4026531956]
126 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 pid -> pid:[4026531836]
127 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 user -> user:[4026531837]
128 lrwxrwxrwx. 1 mtk mtk 0 Jan 14 01:20 uts -> uts:[4026531838]
134 one of the files in this directory
135 to somewhere else in the filesystem keeps
136 the corresponding namespace of the process specified by
138 alive even if all processes currently in the namespace terminate.
140 Opening one of the files in this directory
141 (or a file that is bind mounted to one of these files)
142 returns a file handle for
143 the corresponding namespace of the process specified by
145 As long as this file descriptor remains open,
146 the namespace will remain alive,
147 even if all processes in the namespace terminate.
148 The file descriptor can be passed to
151 In Linux 3.7 and earlier, these files were visible as hard links.
152 Since Linux 3.8, they appear as symbolic links.
153 If two processes are in the same namespace, then the inode numbers of their
154 .IR /proc/[pid]/ns/xxx
155 symbolic links will be the same; an application can check this using the
159 The content of this symbolic link is a string containing
160 the namespace type and inode number as in the following example:
164 $ \fBreadlink /proc/$$/ns/uts\fP
169 The files in this subdirectory are as follows:
171 .IR /proc/[pid]/ns/ipc " (since Linux 3.0)"
172 This file is a handle for the IPC namespace of the process.
174 .IR /proc/[pid]/ns/mnt " (since Linux 3.8)"
175 This file is a handle for the mount namespace of the process.
177 .IR /proc/[pid]/ns/net " (since Linux 3.0)"
178 This file is a handle for the network namespace of the process.
180 .IR /proc/[pid]/ns/pid " (since Linux 3.8)"
181 This file is a handle for the PID namespace of the process.
183 .IR /proc/[pid]/ns/user " (since Linux 3.8)"
184 This file is a handle for the user namespace of the process.
186 .IR /proc/[pid]/ns/uts " (since Linux 3.0)"
187 This file is a handle for the UTS namespace of the process.
189 .\" ==================== IPC namespaces ====================
191 .SS IPC namespaces (CLONE_NEWIPC)
192 IPC namespaces isolate certain IPC resources,
193 namely, System V IPC objects (see
195 and (since Linux 2.6.30)
196 .\" commit 7eafd7c74c3f2e67c27621b987b28397110d643f
197 .\" https://lwn.net/Articles/312232/
198 POSIX message queues (see
200 The common characteristic of these IPC mechanisms is that IPC
201 objects are identified by mechanisms other than filesystem
204 Each IPC namespace has its own set of System V IPC identifiers and
205 its own POSIX message queue filesystem.
206 Objects created in an IPC namespace are visible to all other processes
207 that are members of that namespace,
208 but are not visible to processes in other IPC namespaces.
212 interfaces are distinct in each IPC namespace:
214 The POSIX message queue interfaces in
215 .IR /proc/sys/fs/mqueue .
217 The System V IPC interfaces in
218 .IR /proc/sys/kernel ,
228 .IR shm_rmid_forced .
230 The System V IPC interfaces in
233 When an IPC namespace is destroyed
234 (i.e., when the last process that is a member of the namespace terminates),
235 all IPC objects in the namespace are automatically destroyed.
237 Use of IPC namespaces requires a kernel that is configured with the
241 .\" ==================== Network namespaces ====================
243 .SS Network namespaces (CLONE_NEWNET)
244 Network namespaces provide isolation of the system resources associated
245 with networking: network devices, IPv4 and IPv6 protocol stacks,
246 IP routing tables, firewalls, the
250 directory, port numbers (sockets), and so on.
251 A physical network device can live in exactly one
253 A virtual network device ("veth") pair provides a pipe-like abstraction
254 .\" FIXME Add pointer to veth(4) page when it is eventually completed
255 that can be used to create tunnels between network namespaces,
256 and can be used to create a bridge to a physical network device
257 in another namespace.
259 When a network namespace is freed
260 (i.e., when the last process in the namespace terminates),
261 its physical network devices are moved back to the
262 initial network namespace (not to the parent of the process).
264 Use of network namespaces requires a kernel that is configured with the
268 .\" ==================== Mount namespaces ====================
270 .SS Mount namespaces (CLONE_NEWNS)
271 Mount namespaces isolate the set of filesystem mount points,
272 meaning that processes in different mount namespaces can
273 have different views of the filesystem hierarchy.
274 The set of mounts in a mount namespace is modified using
280 .IR /proc/[pid]/mounts
281 file (present since Linux 2.4.19)
282 lists all the filesystems currently mounted in the
283 process's mount namespace.
284 The format of this file is documented in
286 Since kernel version 2.6.15, this file is pollable:
287 after opening the file for reading, a change in this file
288 (i.e., a filesystem mount or unmount) causes
290 to mark the file descriptor as readable, and
294 mark the file as having an error condition.
297 .IR /proc/[pid]/mountstats
298 file (present since Linux 2.6.17)
299 exports information (statistics, configuration information)
300 about the mount points in the process's mount namespace.
301 This file is only readable by the owner of the process.
302 Lines in this file have the form:
307 device /dev/sda7 mounted on /home with fstype ext3 [statistics]
312 The fields in each line are:
315 The name of the mounted device
316 (or "nodevice" if there is no corresponding device).
319 The mount point within the filesystem tree.
325 Optional statistics and configuration information.
326 Currently (as at Linux 2.6.26), only NFS filesystems export
327 information via this field.
330 .\" ==================== PID namespaces ====================
332 .SS PID namespaces (CLONE_NEWPID)
334 .BR pid_namespaces (7).
336 .\" ==================== User namespaces ====================
338 .SS User namespaces (CLONE_NEWUSER)
340 .BR user_namespaces (7).
342 .\" ==================== UTS namespaces ====================
344 .SS UTS namespaces (CLONE_NEWUTS)
345 UTS namespaces provide isolation of two system identifiers:
346 the hostname and the NIS domain name.
347 These identifiers are set using
350 .BR setdomainname (2),
351 and can be retrieved using
355 .BR getdomainname (2).
357 Use of UTS namespaces requires a kernel that is configured with the
361 Namespaces are a Linux-specific feature.
364 .BR user_namespaces (7).
374 .BR capabilities (7),
375 .BR pid_namespaces (7),
376 .BR user_namespaces (7),
379 This page is part of release 3.75 of the Linux
382 A description of the project,
383 information about reporting bugs,
384 and the latest version of this page,
386 \%http://www.kernel.org/doc/man\-pages/.