Docker Series — Part 15: Containers Are Just Processes (The Power of Namespaces, Isolation & runc)


When we say "a container is lightweight", we mean it’s just a process — but with superpowers. From the outside, it feels like a mini operating system. But deep down, it’s a clever illusion created by namespaces, cgroups, and the Linux kernel.
In this article, we unpack what really happens under the hood when we run a Docker container and how it isolates resources, mimics full systems, and even controls hardware access.
1. Containers Are Just Processes (With Personal Namespaces)
When you launch a container with docker run
, you're not launching a full OS. You’re launching a process — given a personal namespace to feel like its own isolated world.
docker run -it --name os1 centos:7
Inside the container:
ps -aux
hostname
You’ll notice:
A single process (PID 1) runs
/bin/bash
Hostname is the container ID
Feels like a fresh OS, but it’s just isolation magic
2. Namespace: The Illusion of Isolation
Namespaces isolate:
PID (Process IDs)
UTS (Hostname)
IPC (Interprocess Communication)
NET (Networking)
MNT (Mount points)
USER (User IDs)
List all namespaces using:
lsns
When you remove the container:
docker rm -f os1
All associated namespaces disappear too — like the container never existed.
3. Peeking Inside Namespaces: nsenter
Want to enter a running container's namespace manually?
nsenter -t <PID> -a
Or isolate network namespace only:
nsenter -t <PID> -n
ifconfig
This is exactly what docker attach
does behind the scenes — using nsenter
.
4. Network Namespace = Separate IP
Every container has:
Its own virtual network interface
Its own IP address from Docker bridge
This is why two containers can run ifconfig
and show different IPs.
5. Shared Yet Isolated Hardware (CPU, RAM, Disk)
While namespaces isolate identity and interfaces, hardware resources are still shared.
But we can restrict them using cgroups:
docker run -it --name os5 --memory 40M centos:7
To check:
free -m
lscpu
You’ll see only limited memory available inside the container — controlled by cgroups.
6. Everything Runs via runc
Behind every Docker container is a container runtime. For Docker, that’s runc
.
Check the runtime:
docker info
It will show:
Runtimes: runc ...
Default Runtime: runc
So, docker run
→ calls runc
→ creates a process with namespaces & cgroups → container starts.
Recap
Concept | Description |
Container | Just a Linux process with isolation |
Namespace | Isolates hostname, users, network, etc. |
Cgroups | Restricts RAM, CPU usage per container |
nsenter | Manually enter another process’s namespace |
runc | The actual low-level runtime engine |
Why This Matters
Understanding that containers = processes gives you an edge in debugging, optimizing, and designing secure and efficient infrastructure.
This is the bridge between DevOps and Linux internals — where the magic of containers truly unfolds.
Subscribe to my newsletter
Read articles from Nitin Dhiman directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Nitin Dhiman
Nitin Dhiman
Self-taught DevOps enthusiast on a journey from beginner to pro. Passionate about demystifying complex tools like Docker, AWS, CI/CD & Kubernetes into clear, actionable insights. Fueled by curiosity, driven by hands-on learning, and committed to sharing the journey. Always building, always growing 🚀