Network Namespaces
A network namespace gives a process its own private network stack — its own interfaces, routing table, iptables rules, and sockets. This is the core technology behind Docker networking: each container thinks it has its own dedicated network card, even though many containers share the same host.
What Does a Network Namespace Contain?
What exactly gets isolated in a network namespace?
Everything networking-related: network interfaces (including lo), IP addresses, routing table, ARP table, iptables/nftables rules, connection tracking table, sockets, and /proc/net entries. A new namespace starts completely empty — no interfaces except loopback, no routes, no rules. It's a blank slate that you build up.
# Create a network namespace
ip netns add mynet
# List namespaces
ip netns list
# mynet
# Run a command inside the namespace
ip netns exec mynet ip addr
# 1: lo: LOOPBACK,DOWN mtu 65536
# link/loopback 00:00:00:00:00:00
# (only loopback, no eth0, nothing)
ip netns exec mynet ip route
# (empty — no routes)
# Enter the namespace interactively
ip netns exec mynet bash
# Now you're inside — ping 8.8.8.8 won't work (no connectivity yet)
veth Pairs — Connecting Namespaces
How does a container namespace connect to the host network?
Via a veth pair — a virtual Ethernet cable with two ends. One end lives in the host namespace, the other end gets moved into the container namespace. Packets sent on one end appear on the other. The host end connects to a bridge (like docker0), which provides routing to the outside world.
# Create veth pair (veth0 and veth1 are the two ends)
ip link add veth0 type veth peer name veth1
# Move veth1 into the namespace
ip link set veth1 netns mynet
# Configure host end (veth0)
ip addr add 10.0.0.1/24 dev veth0
ip link set veth0 up
# Configure namespace end (veth1)
ip netns exec mynet ip addr add 10.0.0.2/24 dev veth1
ip netns exec mynet ip link set veth1 up
ip netns exec mynet ip link set lo up
# Add default route in namespace (via host)
ip netns exec mynet ip route add default via 10.0.0.1
# Now the namespace can ping the host:
ip netns exec mynet ping 10.0.0.1 # works!
# Enable NAT on host for namespace to reach internet:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
How Docker Uses Network Namespaces
# Docker creates a namespace per container automatically
# See container namespaces:
docker run -d --name myapp nginx
# Find container PID
docker inspect myapp --format '{{.State.Pid}}'
# 12345
# Enter its network namespace directly
nsenter -t 12345 -n ip addr
# 1: lo: LOOPBACK,UP
# 28: eth0@if29: flags=UP inet 172.17.0.2/16
# List Docker's bridge
ip link show docker0
# 4: docker0: ... inet 172.17.0.1/16
# All container veth pairs connect to docker0 bridge:
brctl show docker0
# bridge name bridge id STP interfaces
# docker0 8000.0242 no veth3a1b2c
# veth7d8e9f
# Container networking is just:
# container_ns (eth0/veth_container) ←→ veth_host ←→ docker0_bridge ←→ NAT ←→ eth0
Inspecting Namespaces
# All network namespaces on the system
ls /var/run/netns/ # named namespaces (ip netns add)
ls /proc/*/ns/net # all process namespaces (including containers)
# Check which namespace a process is in
ls -la /proc/1/ns/net # PID 1 (init) — host namespace
ls -la /proc/12345/ns/net # container process
# If same inode number: same namespace
# net:[4026531992] ← inode number
# See all unique network namespaces in use:
find /proc -maxdepth 3 -name net -path "*/ns/*" 2>/dev/null \
| xargs -I{} readlink {} | sort | uniq -c
# 1 net:[4026531992] ← host namespace
# 3 net:[4026532156] ← container (3 processes in same container)
# 1 net:[4026532234] ← another container
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.