Skip to Content
Navigation:

A stick figure smiling

Here's a preview from my zine, How Containers Work!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!

get the zine!
Image of a comic. To read the full HTML alt text, click "read the transcript". get the zine!
read the transcript!

processes use their parent’s namespaces by default

parent, represented by a box with a smiley face: I’m in the host network namespace!

child, represented by a smaller box with a smiley face (created with ‘clone’ syscall): me too!

but you can switch namespaces at any time

box with a smiley face: I’m starting a container so it needs its own namespaces

command line tools

  • $ unshare --net COMMAND: run COMMAND in a new network namespace
  • $ sudo lsns: list all namespaces
  • $ nsenter -t PID --all COMMAND: run COMMAND in the same namespaces as PID

namespace system calls

  • clone: make a new process
  • unshare: make + use a namespace
  • setns: use an existing namespace

clone lets you create new namespaces for a child process

parent: clone (... CLONE_NEWNET)

child: I have my own network namespace!

each namespace type has a man page

$ man network_namespaces
...
A physical network device
can live in exactly one
network namespace.