There are 7 namespaces. At any point in time, there can be multiple instances of each namespace.
A process can belong to one, and only one, instance of every namespace. It can also move from one instance to another of a given namespace.
This means that 2 processes can be on the same instance of one namespace and different on another namespace.
Virtual machines, running on a hypervisor, run an independent kernel. They, therefore, provide all or nothing isolation. Namespaces, on the other hand, provide lightweight isolation. For e.g., you can isolate 2 processes on just one namespace.
List of namespaces:
Mount:
It allows you to mount a device to some directory.
However, there is a single copy of the underlying device. So, even if the device is mounted in different directories for 2 processes, any change made by one will be visible to another. If you want to prevent that, then not mounting the device at all is one option.
PID: Allows 2 processes in different instances to have the same PIDs.
It’s also hierarchical: a process can see PIDs of all its child processes even if they are created in separate namespace instances but not vice versa.
I didn’t know that PID “1” is special. If killed, the kernel panics and restarts.
Network:
This is something that I’ve encountered, but not fully understood, before.
Helps setup iptables and routing rules but I need to dig deeper into those.
One, rather mundane, use of network namespaces is that you could run multiple web-servers on port 80 on the same kernel if they are running in different network namespace instances.
UTS: domain name etc.
IPC: IIRC, processes in the same instance can communicate with each other through IPC (i.e., inter-process communication), otherwise can’t.
Cgroups.
User:
Helps map user and group ID in one instance to something else in another.
For e.g., you may be root inside an unprivileged container but that’s mapped to non-root on the kernel.