✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.3.1.1 Kernel PID Namespace

A focused guide to Kernel PID Namespace, connecting core concepts with practical Docker and container operations.

The kernel PID namespace gives a container its own isolated process ID numbering, starting at 1, so that processes inside the container cannot see, and cannot be seen by, processes outside its namespace — directly enabling the sense that a container is its own independent system.

Process Numbering Starts Fresh

Inside a new PID namespace, the first process started is assigned PID 1, regardless of what its actual process ID is on the host — the namespace maintains an entirely separate numbering scheme.

docker run --rm alpine ps aux

This typically shows the container's main process as PID 1, even though, viewed from the host, that same process has a different, much higher PID.

docker inspect myapp --format '{{.State.Pid}}'
ps -p <host-pid>

Querying the same process from the host reveals its actual host-level PID, demonstrating that the container's PID 1 and the host's view of that process are simply two different numbering perspectives on the same underlying process.

Isolation From Other Processes

A process inside a container's PID namespace cannot see processes in a different PID namespace at all — they simply do not appear in its process list, regardless of what is actually running on the host.

docker exec myapp ps aux

This only ever shows processes belonging to the same container, never processes from other containers or from the host itself, because the PID namespace fundamentally limits what is visible.

PID 1 and Signal Handling

Because the container's main process is PID 1 within its namespace, it inherits some of the special responsibilities Unix traditionally assigns to PID 1, including reaping zombie child processes — a responsibility that can cause issues if the main process was not written with this in mind.

ENTRYPOINT ["tini", "--"]
CMD ["myapp"]

Using a minimal init process as the actual PID 1, with the application launched as its child, is a common pattern to correctly handle this responsibility without modifying the application itself.

Why PID Namespace Isolation Matters

PID namespace isolation directly prevents a container from observing or signaling processes belonging to other containers or the host, which is foundational to treating each container as an independently manageable, isolated workload.

Related content