Each systems initially has one single namespace, where all system resources are shared. Additional namespaces can be created on demand.

There are multiple kinds on namespaces; a given process belong to one namespace of each kind (each isolating a certain group of resources):

• Mount (mnt)
• Process ID (pid)
• Network (net) - each network interface belongs to exactly one namespace (but can be moved from one to another)
• Inter-process communication (ipc)
• UTS - hostname and domain name
• User ID (user)

Cgroups limit the resource usage of a process (or group of processes).

sysctl is a kernel interface tool. Among other things it allows to view and modify kernel settings at runtime.

# Query kernel parameters
$ sysctl -a | grep <pattern>

# Query specific parameter; sysctl assumes that user is looking for /proc/sys
# directory, thus, "kernel" is a subdirectory within /proc/sys.
$ sysctl kernel/unprivileged_userns_apparmor_policy

# Change the setting
$ sysctl -w kernel/unprivileged_userns_apparmor_policy=0

Contents of files within /proc/sys are ephemeral, and will not retain after reboot. /etc/sysctl.conf file is a configuration file for sysctl, where persistent values for kernel settings can also be set. /etc/sysctl.d directory contains more files with settings.