Docker Containers Aren't Magic Boxes: Seeing Linux Namespaces in Action

You restart a container with one extra flag— --pid=host —and suddenly top inside it shows every process on the host. Nothing else changed. That's the moment the "container as isolated VM" mental model breaks down, and the real one has to replace it. Containers aren't virtual machines. They don't have a separate kernel. They're Linux processes whose view of the system — process table, filesystem, users, network interfaces — is scoped by kernel namespaces. Change the namespace configuration, and what the process can see changes. That's the whole story. The Runtime Chain (and Where Namespaces Attach) When you run docker run , you're triggering a chain of processes: dockerd → containerd → containerd-shim → runc → your application The critical piece is runc . It's short-lived—it configures the namespaces, forks the container process (say, nginx), then exits. The containerd-shim process sticks around to supervise that process and hold onto its file descriptors. After runc finishes, the conta