Ever wondered how containers have their own processes, networks, and even file systems — completely separate from the host?
That magical isolation isn’t just some Docker black box, it’s built on a powerful Linux kernel feature called namespaces.
But first, don’t confuse Docker namespaces with Kubernetes namespaces, they are completely different.
- Docker namespaces are about OS-level isolation (processes, network, users).
- Kubernetes namespaces are about logical separation within a cluster (dev, staging, prod, etc.).
So what are Docker namespaces?
Namespaces are like putting a container in its own bubble for each system resource:
| Namespace | Isolates | Example |
|---|---|---|
pid | Processes | Container has its own PID tree |
net | Network stack | Its own IP, interfaces, routes |
mnt | File system mounts | Container’s file system |
uts | Hostname & domain | Different container hostname |
ipc | Shared memory | Separate communication channels |
user | User/group IDs | Map users differently |
The Result?
Each container thinks it’s a mini-computer, but all containers are just segmented views of the host, using namespaces to isolate what they can see and touch.
So next time you run:
docker run -it ubuntu bashNamespaces = the reason Docker containers are lightweight and fast.