Docker Series — Part 15: Containers Are Just Processes (The Power of Namespaces, Isolation & runc)

Nitin DhimanNitin Dhiman
3 min read

Table of contents

When we say "a container is lightweight", we mean it’s just a process — but with superpowers. From the outside, it feels like a mini operating system. But deep down, it’s a clever illusion created by namespaces, cgroups, and the Linux kernel.

In this article, we unpack what really happens under the hood when we run a Docker container and how it isolates resources, mimics full systems, and even controls hardware access.

1. Containers Are Just Processes (With Personal Namespaces)

When you launch a container with docker run, you're not launching a full OS. You’re launching a process — given a personal namespace to feel like its own isolated world.

docker run -it --name os1 centos:7

Inside the container:

ps -aux
hostname

You’ll notice:

  • A single process (PID 1) runs /bin/bash

  • Hostname is the container ID

  • Feels like a fresh OS, but it’s just isolation magic

2. Namespace: The Illusion of Isolation

Namespaces isolate:

  • PID (Process IDs)

  • UTS (Hostname)

  • IPC (Interprocess Communication)

  • NET (Networking)

  • MNT (Mount points)

  • USER (User IDs)

List all namespaces using:

lsns

When you remove the container:

docker rm -f os1

All associated namespaces disappear too — like the container never existed.

3. Peeking Inside Namespaces: nsenter

Want to enter a running container's namespace manually?

nsenter -t <PID> -a

Or isolate network namespace only:

nsenter -t <PID> -n
ifconfig

This is exactly what docker attach does behind the scenes — using nsenter.

4. Network Namespace = Separate IP

Every container has:

  • Its own virtual network interface

  • Its own IP address from Docker bridge

This is why two containers can run ifconfig and show different IPs.

5. Shared Yet Isolated Hardware (CPU, RAM, Disk)

While namespaces isolate identity and interfaces, hardware resources are still shared.

But we can restrict them using cgroups:

docker run -it --name os5 --memory 40M centos:7

To check:

free -m
lscpu

You’ll see only limited memory available inside the container — controlled by cgroups.

6. Everything Runs via runc

Behind every Docker container is a container runtime. For Docker, that’s runc.

Check the runtime:

docker info

It will show:

Runtimes: runc ...
Default Runtime: runc

So, docker run → calls runc → creates a process with namespaces & cgroups → container starts.

Recap

ConceptDescription
ContainerJust a Linux process with isolation
NamespaceIsolates hostname, users, network, etc.
CgroupsRestricts RAM, CPU usage per container
nsenterManually enter another process’s namespace
runcThe actual low-level runtime engine

Why This Matters

Understanding that containers = processes gives you an edge in debugging, optimizing, and designing secure and efficient infrastructure.

This is the bridge between DevOps and Linux internals — where the magic of containers truly unfolds.

1
Subscribe to my newsletter

Read articles from Nitin Dhiman directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DockercontainersLinuxDevops#namespacesruntimecgroupscontainersecuritysimplified-docker-series#learninginpubliccloud nativeOpen SourceDevops articlesDevOps Journey#Devopscommunity

Written by

Nitin Dhiman
Nitin Dhiman

Self-taught DevOps enthusiast on a journey from beginner to pro. Passionate about demystifying complex tools like Docker, AWS, CI/CD & Kubernetes into clear, actionable insights. Fueled by curiosity, driven by hands-on learning, and committed to sharing the journey. Always building, always growing 🚀