logo

Namespaces

Last Updated: 2023-08-20

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

There are 7 namespaces in Linux:

  • Cgroup: cgroup = control group. Resource limiting, prioritization, accounting and control.
  • IPC: Inter-process Communication.
  • Network: Network devices, ports, etc.
  • Mount: Mount points (of file systems).
  • PID: Process IDs.
  • User: User and group IDs.
  • UTS: UNIX Timesharing System, named after the data structure used to store info returned by uname system call. Isolates hostname and NIS domain name.

cgroup

  • cgroup = control group.
  • System for resource management on Linux.
  • Directory hierarchy at /sys/fs/cgroup.
  • Limit, throttle, and account for resource usage per control group.
  • Each resource interface is provided by a controller.
  • Used to constrain resources that are allocated to processes.

When systemd is chosen as the init system for a Linux distribution, the init process generates and consumes a root control group (cgroup) and acts as a cgroup manager. systemd has a tight integration with cgroups and allocates a cgroup per systemd unit.

cgroup v1 vs cgroup v2

cgroupv1 has a hierarchy per-resource (resource = cpu, devices, memory, pids, etc):

  • Separate hierarchy/cgroups for each resource.
  • cgroups can be nested inside each other.
  • Limits and accounting are performed per-cgroup.
  • One PID is in exactly one cgroup per resource.
/sys/fs/cgroup => resource => cgroup => pid

cgroupv2 has a unified hierarchy, Each cgroup can support multiple resource domains.

  • cgroups are "global": not limited to one resource.
  • Resources are now opt-in for cgroups.
  • Granularity at TGID (PID), not TID level.
  • Focus on simplicity/clarity over ultimate flexibility.
/sys/fs/cgroup => cgroup => (cgroup) => pid => (resource)

Identify the cgroup version on Linux Nodes

To check which cgroup version your distribution uses:

$ stat -fc %T /sys/fs/cgroup/
  • For cgroup v2, the output is cgroup2fs.
  • For cgroup v1, the output is tmpfs.

To check the layout:

$ ls /sys/fs/cgroup

Networking

Each network namespace has its own localhost and loopback (lo) device. If loopback device is not up, localhost would not work.

logo
PRIVACY POLICYABOUT中文