Diving into Linux Namespaces: An Overview of PID Namespaces (Part-1)

Have you ever wondered how containerization technologies like Docker or Kubernetes are able to create isolated environments for running applications? One key technology that enables this isolation is Linux namespaces.

Linux namespaces allow processes to have their own isolated view of the system, including their own process IDs, network interfaces, filesystems, and more. These isolated environments, called "namespaces," allow processes to be isolated from one another in order to better manage resources and enforce security policies.

Types of linux Namespaces :

There are several different types of Linux namespaces, each of which serves a different purpose:

1. PID namespace: This namespace isolates the process ID space, so that processes within a particular namespace have their own unique process IDs that are distinct from those in other namespaces. This allows multiple instances of the same process to run simultaneously without conflicting with one another.
2. Network namespace: This namespace isolates the network stack, including network interfaces, IP addresses, and routing tables. This allows processes within a particular namespace to have their own separate network stack, which can be useful for creating virtual networks or implementing network isolation.
3. Mount namespace: This namespace isolates the filesystem, allowing processes within a particular namespace to have their own separate view of the filesystem hierarchy. This can be used to create sandboxes or to mount and unmount filesystems without affecting the rest of the system.
4. UTS namespace: This namespace isolates the hostname and domain name of the system, allowing processes within a particular namespace to have their own hostname and domain name that are distinct from those of the rest of the system.
5. User namespace: This namespace isolates the user and group ID space, allowing processes within a particular namespace to have their own separate user and group ID mapping. This can be used to give processes access to resources that they would not normally have access to, or to restrict their access to certain resources.
6. Cgroup namespace: This namespace isolates the cgroups hierarchy, allowing processes within a particular namespace to have their own separate view of the cgroups hierarchy. This can be used to limit the resources that processes can use, or to assign processes to different cgroups for resource management purposes.
7. IPC namespace: This namespace isolates the interprocess communication (IPC) resources of the system. This includes things like message queues, semaphores, and shared memory segments

PID namespace

A PID namespace is a type of Linux namespace that isolates the process ID space of a system. Process IDs (PIDs) are unique identifiers that are assigned to each process when it is created. In a normal Linux system, all processes share the same process ID space, which means that each process has a unique PID that is distinct from all other processes on the system.

init (PID 1)
  |
  |-- bash (PID 2)
  |     |
  |     |-- ls (PID 3)
  |
  |-- sleep (PID 4)

When a PID namespace is used, the process ID space is isolated from the rest of the system. This means that processes within a particular PID namespace have their own unique process IDs that are distinct from those in other PID namespaces or in the global namespace. This allows multiple instances of the same process to run simultaneously without conflicting with one another.

init (PID 1)
  |
  |-- bash (PID 2)
  |     |
  |     |-- ls (PID 3)
  |
  |-- sleep (PID 4)
  |
  |-- new_namespace (PID namespace)
        |
        |-- new_process (PID 1)
        |-- new_process_2 (PID 2)

In this example, the processes within the "new_namespace" namespace have their own unique PIDs within the namespace (1 and 2), but these PIDs are not unique when compared to the rest of the system. For example, the "new_process" process has a PID of 1 within the "new_namespace" namespace, but it also has a global PID that is unique to the entire system.

PID Namespaces in actions:

Let's get started with PID Namespaces, first let's list processes that are running on the system.

ps -eo pid,comm

Now let's create a new PID namespace, you can use the unshare command.

sudo unshare --pid --fork --mount-proc bash

This will create a new PID namespace and start --fork bash shell within that namespace. The bash shell will have a PID of 1 within the namespace, and it will be able to start and manage other processes within the namespace. The --mount-proc option causes the /proc filesystem to be mounted as private within the namespace, which means that the processes within the namespace will not have access to the global /proc filesystem.

Let's use the ps command within the bash shell to view the processes within the namespace.

This will show the PID and command name for all processes within the namespace. We should see the bash shell with a PID of 1, as well as any other processes that We have started within the namespace.

Now let's interact with an existing namespace To list the available PID namespaces on a Linux system, we can use the lsns command with the --type option and the pid.

sudo lsns --type pid

To enter a specific PID namespace, we can use the nsenter command with the -t option, and the PID of the namespace we want to enter, to enter the namespace with PID 1789, we will  use the following command:

nsenter -t 1789  -p -r  bash

The -r option sets the root directory to the top-level directory within the namespace, so that the commands run in the context of the namespace, The  -p flag indicates that you want to attach the current process to the namespace.

Let's use the ps command within the bash shell to view the processes within the namespace

ps -eo pid,comm

Conclusion

In conclusion, PID namespaces are a powerful tool in Linux that allow you to isolate processes and create multiple, independent process trees on a single system. This can be useful in a variety of scenarios, such as creating containers, virtualizing systems, or testing software. Stay tuned for part 2 of this series, where we will dive into network namespaces and learn how to isolate and manage network resources in Linux.

I hope this blog post has provided a helpful introduction to PID namespaces in Linux and how they can be used.If you have any further questions or would like to discuss this topic in more detail, you can reach me via direct message and I would be happy to have a conversation. If you to learn more, I recommend consulting the documentation for the unshare, nsenter, and lsns commands, as well as the man page for the namespaces(7).