With isolation as the goal, Linux needed some way to separate resource views of different operating system processes from each other. The answer was namespaces. There are currently six namespaces implemented:

• mnt: controls access to the filesystems
• pid: controls access to different processes
• net: controls access to networking resources
• ipc: controls inter-process communication
• uts: returns a different hostname per namespace
• user: enables separate user management per process

In order to use namespaces, only one single system call has been implemented: setns().

The following figure shows the namespace mapping of a random process with ID 2000:

It can be seen that the root name spaces are mapped to encapsulated and controlled namespaces with a specific ID. Since every process (or group of processes) is assigned to a sub-namespace of all the six groups mentioned earlier, access to filesystems, other processes, network resources, and user IDs can be restricted. This is an important feature for security.

So the only thing missing is a mechanism to prevent a single process from eating up all the CPU power of the host machine. This is done using control groups.