Namespaces for z/OS UNIX

In support of z/OS® Container Platform technology, z/OS UNIX provides functionality similar to that of Linux® namespaces. Namespaces provide the appearance of isolation for various system resources. To a process within one of these namespaces, only resources local to that specific namespace are visible and can be manipulated. Similarly, changes within a namespace do not affect resources and processes outside of that namespace.

The root (or initial) namespaces represent the global view. By default, all processes belong to these namespaces. Namespace affiliation is inherited from the parent process when new processes are created. Processes running exclusively in the root namespaces should function exactly as they did before namespaces were supported. Root namespaces consist of the user namespace, the mount namespace, the PID namespace, the network namespace, the IPC namespace, and the UTS namespace.

Restriction: z/OS UNIX only supports the creation of mount, PID, IPC, and UTS namespaces by users.

You can use the clone, setns, and unshare callable services to create namespaces and change a process's namespace affiliation. For more information about these services, see clone, setns, and unshare in z/OS UNIX System Services Programming: Assembler Callable Services Reference. To invoke these services, users must either be granted READ access to the CONTAINERS resource profile in the UNIXPRIV class or be a superuser. For more information about providing data and system security, see Establishing UNIX security.

Namespaces persist for the life of all processes within the namespace. They are freed only after the final process is terminated or leaves. For hierarchical namespaces such as the PID namespace, the namespace will continue to persist until all descendant namespaces have ended. Namespaces will also persist even without affiliated processes or descendant namespaces if the corresponding namespace file in the PROC file system is in use.