Linux Namespaces Isolation

Discussions center on using Linux kernel namespaces (user, PID, mount) as alternatives to chroot for process isolation in containers, systemd, and tools like Docker/Podman, including security issues with user namespaces.

➡️ Stable 0.6x DevOps & Infrastructure

2,386

Comments

Years Active

Top Authors

#5099

Topic ID

Activity Over Time

2009

2010

2011

2012

2013

2014

109

2015

117

2016

156

2017

223

2018

150

2019

175

2020

185

2021

243

2022

216

2023

235

2024

196

2025

240

2026

Top Contributors

cyphar (82) zozbot234 (22) the8472 (21) geofft (19) justincormack (18)

Keywords

CS GNU BSD github.io ubuntu.com AppArmor ID PID systemd.exec GID namespaces namespace pid containers user linux container jail kernel root

Sample Comments

superb_dev • Sep 4, 2024 • View on HN

Systemd can put it in its own namespaces, like a container

the8472 • Feb 23, 2016 • View on HN

why doesn't it just use user namespaces?

feanaro • Dec 6, 2019 • View on HN

Don't user namespaces have significant security issues themselves?

aussieguy1234 • Jan 13, 2026 • View on HN

It uses Linux kernel namespaces instead of chroot (containers are just fancy Liunx chroot)

the8472 • Aug 28, 2017 • View on HN

from the documentation it sounds like it uses namespaces where available, just like containers. chroot otherwise.

cyphar • Dec 16, 2019 • View on HN

Not if you use user namespaces (which you really should).

lima • Aug 28, 2017 • View on HN

Yes, it is. Either a magic user-space chroot, a normal chroot or user namespaces.

kenniskrag • Feb 9, 2021 • View on HN

why not? I would argue, that they use linux namespacing, cgroup etc.

gumby • Jan 8, 2017 • View on HN

What happened to just using chroot(), namespaces, and copy-on-write?

fock • Sep 30, 2019 • View on HN

why don't you use podman, bubblewrap or just straight namespaces?