2.3.1 Namespace Isolation
A focused guide to Namespace Isolation, connecting core concepts with practical Docker and container operations.
Namespace isolation is the kernel mechanism that gives each container its own private view of a particular kind of system resource, by creating a separate instance of that resource's bookkeeping per namespace, so that processes in different namespaces cannot see or interfere with each other's view of it.
The General Pattern Across Namespace Types
Each namespace type isolates a different resource — processes, network interfaces, mount points, hostname, user and group IDs, and inter-process communication objects — but they all follow the same underlying pattern: the kernel maintains separate instances of its bookkeeping structures per namespace, and a process only ever sees the instance belonging to its own namespace.
docker run --rm alpine ls -la /proc/self/ns/
This lists every namespace a container's process currently belongs to, each one a distinct kernel object the process is bound to.
Multiple Namespaces, One Container
A single container typically uses several namespace types simultaneously, each isolating a different aspect of its environment, combined to produce the overall sense of running in its own private system.
docker run --rm alpine sh -c "hostname; ip addr; ps aux"
The hostname, network interfaces, and process list reported here all come from namespaces specific to this one container, entirely separate from what the host or any other container would report for the same commands.
Joining an Existing Namespace
A new process can be placed into an already-existing namespace rather than creating a new one, which is how docker exec runs an additional command inside an already-running container's existing namespaces rather than creating a separate isolated environment for it.
docker exec myapp ps aux
The process list this returns matches what the container's main process sees, because the executed command joins the container's existing PID namespace rather than starting in a new one.
Why Namespace Isolation Is the Foundation of Containers
Namespace isolation, more than any other single mechanism, is what makes a container feel like an independent system from the inside while remaining, from the host's perspective, an ordinary process — every other property commonly associated with containers builds on this foundational kernel capability.