Which Linux namespace is the most important for a container? 🤔

After spending more than a month researching the topic of how containers are created at the lowest level, I came to the conclusion that the mount namespace is the bedrock of container isolation.

There is a good reason for it - Linux has long treated the filesystem as the central interface for managing processes, devices, and resources. Once you start assembling a container, it quickly becomes clear that other key namespaces - PID, UTS, network, and cgroup - cannot be fully utilized without an underlying "isolated filesystem view".

This is why I think that if you want to understand how containers work, you should try creating a container filesystem from scratch. And by that, I don't mean merely extracting the container rootfs from its image and passing it to a lower-level container runtime like runc. There is value in this exercise, but it still hides too many important details. This time, we shall go much deeper! ⛏️

After all, images don't contain complete and ready-to-use container filesystems. Just think of it for a second - each container has a unique hostname and networking configuration, which are typically stored in files like /etc/hosts or /etc/resolv.conf, while the image can only have some generic values written in these files. And the same goes for virtual filesystems like /dev, /proc, or /sys - they can only be populated by the kernel at runtime, while images are fully static creatures.

Thus, the container runtime needs to perform extra preparations after extracting the initial rootfs from the image and before executing the target application in the completed environment, and these preparations are the essence of containerization and the key topic of the deep dive that I just published:

​How Container Filesystem Works: Building a Docker-like Container From Scratch​

Traditionally, the post is well-illustrated and highly practical - by the end of it, you should be able to create a container using only stock Linux commands: unshare, mount, and pivot_root. No container runtime magic involved and (almost) no corners cut.

Building something from scratch is a great way to learn and/or take your understanding to a totally different level. I hope you'll find this tutorial useful, and if so, please consider supporting my work (and get full access to all iximiuz Labs content and features in return).

Happy learning!

Ivan