Unlocking the Container

Let The Genie Out!!

Presenter: Sakhil Ahamed

ChennaiFoss Jan 2026 Meetup

Why This Talk?

  • Containers are everywhere
  • "Lightweight VMs" is misleading
  • Understanding fundamentals removes fear
  • Ground Rule: No Docker/K8s knowledge required

What Does Linux Actually Do?

  • Linux runs programs → Programs become Processes
  • Kernel manages processes
  • Everything starts with a process

What Is a Process?

  • A running program
  • Memory & PID (Process ID)
  • Kernel-managed execution context
  • The catch: By default, everyone shares everything (Network, Filesystem, Hostname)

Linux's Big Idea

"Don't virtualize machines. Virtualize resources."

This led to the creation of Namespaces.

What Is a Namespace?

  • Wraps a global resource to provide isolation
  • Same namespace: Shared view
  • Different namespace: Isolated view
  • Each process lives in exactly ONE instance of each namespace type

The Seven Namespace Types

  • 1. Mount
  • 2. UTS
  • 3. IPC
  • 4. PID
  • 5. Network
  • 6. User
  • 7. Cgroup

Visible at /proc/<PID>/ns/

UTS & Mount

UTS: Isolates Hostname and Domain name.

Mount: Isolates mount points and filesystem views.

Why Mount Matters

  • More powerful than chroot
  • Rearrange filesystem views
  • Foundation of container filesystems

Network & IPC

IPC: Isolates shared memory and message queues.

Network: Isolates interfaces, routing tables, and ports.

  • Allows multiple containers to use port 80
  • Uses Virtual Ethernet (veth) and bridges

PID Namespace

  • Isolates Process IDs
  • Hierarchical: Parent sees child; child cannot see parent
  • PID 1 is special: If it exits, the namespace dies

User Namespace

The Game Changer

  • Isolates User and Group IDs
  • Fake Root: UID 0 inside, Non-root UID outside
  • Enables Rootless Containers

Containers vs VMs

Virtual Machines Containers
Separate kernels One shared kernel
Heavy / Slow to start Fast / Lightweight
Hardware Virtualization Selective Resource Isolation

Final Takeaways

  • Namespaces isolate global resources
  • Containers are composed, not invented
  • Linux is the real container engine

"Containers are not machines. They are processes living in carefully curated realities."