Skip to content

Build a Container from Scratch

How one Linux command shows what Docker really is

Want to see the essence of a container without using Docker? Try unshare.

sudo unshare --pid --fork --mount-proc bash
ps aux

Inside that shell, you’ll only see two processes: bash and ps. From the kernel’s perspective, you’ve created a new PID namespace. That’s the foundation of a container — just Linux isolation applied to a process.

A full Docker container adds more on top (cgroups, OverlayFS, security restrictions). But the idea remains simple: containers are not virtual machines. They’re just processes with boundaries.

Key Terms

unshare
A Linux utility that calls the unshare system call to create new namespaces, detaching a process from its parent’s shared environment.

PID Namespace
An isolated process ID space where processes only see themselves and their descendants, not processes on the host.

Container
A process wrapped in kernel isolation features (namespaces, cgroups, and more) that makes it appear self-contained.