Cloudflare heavily uses containerization for managing our global network and products. Sometimes, Docker can be too “heavy” to be useful in cases where all we really want is network isolation for some processes. Containers are simply an operating system concept to isolate process features from each other and the host.

We’ll explore creating containers from scratch on Linux using namespaces. I’ll map Docker image/runtime configuration to the unshare command arguments to solve a real problem for network performance testing and debugging systemd without the need for a virtual machine.