✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.3.1.3 Kernel Mount Namespace

A focused guide to Kernel Mount Namespace, connecting core concepts with practical Docker and container operations.

The kernel mount namespace gives a container its own isolated view of mounted filesystems, which is what allows a container to see an entirely different filesystem layout — its image's layered root filesystem — without that view being visible to, or affecting, the host or other containers.

A Private Filesystem View

Within a mount namespace, mounting or unmounting a filesystem only affects that namespace's view; the same operation performed inside a container's mount namespace does not change what the host, or any other container, sees mounted.

docker run --rm alpine mount

This lists mounts visible only within the container's own mount namespace, typically the layered image filesystem along with any explicitly provided bind mounts or volumes.

Constructing the Container's Root Filesystem

Before a container's process starts, its mount namespace is populated with the assembled, layered filesystem from its image — read-only layers combined with a writable layer on top — using the kernel's overlay filesystem support, all of this happening within the isolation the mount namespace provides.

docker run --rm alpine ls /

This lists the contents of what appears to be the container's entire root filesystem, which is, in reality, the assembled overlay of image layers visible only within this mount namespace.

Bind Mounts Crossing the Namespace Boundary Deliberately

Volumes and bind mounts deliberately cross the mount namespace boundary, exposing specific host paths or named volumes inside the container's otherwise isolated filesystem view, exactly at the locations specified.

docker run -v "$(pwd)":/app alpine ls /app

This deliberately exposes the current host directory inside the container's namespace at /app, while everything else about the container's filesystem view remains isolated from the host as usual.

Read-Only Root Filesystems

The mount namespace isolation also supports marking a container's entire root filesystem as read-only, preventing the container's process from writing anywhere except explicitly provided writable mounts.

docker run --read-only --tmpfs /tmp alpine sh
Why Mount Namespace Isolation Matters

Mount namespace isolation is what allows a container's filesystem to be both completely self-contained (built entirely from its image) and selectively connected to the host (through deliberate volume and bind mounts), giving precise control over exactly what filesystem state is shared and what remains isolated.

Related content