Namespaces
Docker uses namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
- The
pid
namespace: Process isolation (PID: Process ID) - The
net
namespace: Managing network interfaces (NET: Networking) - The
ipc
namespace: Managing access to IPC resources (IPC: InterProcess Communication) - The
mnt
namespace: Managing filesystem mount points (MNT: Mount) - The
uts
namespace: Different host and domain names (UTS: Unix Timesharing System) - The
user
namespace: Isolate security-related identifiers (USER: userid, groupid)
Namespaces Demonstration
docker run --rm -d alpine sleep 1111
ps auxx | grep 'sleep 1111'
sudo ls /proc/[pid]/ns/
PID namespace
-
PID namespaces isolate the process ID number space, meaning that processes in different PID namespaces can have the same PID
-
PID namespaces allow containers to provide functionality such as suspending/resuming the set of processes in the container and migrating the container to a new host while the processes inside the container maintain the same PIDs
For example, while running nginx docker container we always get PID 1 for nginx but at the host we see a different PID like
9989
docker run --rm --name=samplewebapp1 -d nginx:alpine
ps auxxx | grep nginx
docker exec -it samplewebapp1 sh
ps auxxx | grep nginx
docker run --rm --name=samplewebapp2 -d nginx:alpine
ps auxxx | grep nginx
docker exec -it samplewebapp2 sh
ps auxxx | grep nginx
- Here we can see that both process have different pids in host system but inside containier they both use pid 1
Attaching host processes to container
- We can also pass or attach the host process namespace or any other container process namespace to container using the --pid flag
docker run --rm -it --pid=host jess/htop