Discover how containers are using Linux kernel namespaces...
...or the mounts inside your containers, and how over-mounts make other mounts invisible.
First, ensure that you have the Docker compose v2 plugin version 2.34.0 or later installed. Version 2.34.0 was released March 2025. Make also sure you have a Linux kernel of at least version 4.11 installed, however we highly recommend at least kernel version 5.6 or later.
docker compose -f oci://ghcr.io/thediveo/lxkns/app:latest upFinally, visit http://localhost:5010 and start looking around Linux kernel
namespaces, as well as mount points with their hierarchies.
- download latest lxkns.zip
- Import the included
lxkns.appinto your IEM. - Deploy the "Linux kernel namespace namespace discovery" app to your IE (virtual) devices.
- On your IE (virtual) device, navigate to
https://ied-address/lxkns.
lxkns discovers...
- Linux namespaces in almost every nook and cranny of your hosts (from open file descriptors, bind-mounts, processes, and now even tasks and from open sockets) – please see the table below,
- the mount points inside mount namespaces (correctly representing "overmounts").
- container workloads: these are automatically related to the underlying
Linux namespaces.
lxknsnow leverages (Siemens OSS) Turtlefinder technology to autodetect container engines even in hierarchical configurations, such as Kubernetes-in-Docker and Docker Desktop on WSL2. Also, (socket-activated) podman detection has finally landed in turtlefinder, and in turn also inlxkns.
| Where? | lsns |
lxkns |
Kernel | |
|---|---|---|---|---|
| ➀ | /proc/*/ns/* |
✓ | ✓ | 4.11 |
| ➁ | /proc/*/task/*/ns/* |
✗ | ✓ | 4.11 |
| ➂ | bind mounts | ✓A | ✓ | 4.11 |
| ➃a | /proc/*/fd/* namespace fds |
✗ | ✓ | 4.11 |
| ➃b | /proc/*/fd/* socket fds |
✗ | ✓ | 5.6 |
| ➄ | namespace hierarchy | ✗ | ✓ | 4.11 |
| ➅ | owning user namespaces | ✗ | ✓ | 4.11 |
- A very recent versions of
lsnshave improved and are now reporting bind-mounted namespaces as of "util-linux 2.39.1". Maybelxknsmanaged to put some pressure to innovate onlsns, maybe not; we would like to hear from people who are acquainted with the rationale.
lxkns finds mount points even in process-less mount
namespaces (for instance, as utilized in "snap"
technology). Our discovery engine even determines
the visibility of mount points, taking different forms of "overmounting" into
consideration.
Take a look at the comprehensive user (and developer) manual.
Note
Please check Important Changes, especially if you have been used the API in the past, and not only the service.
Or, watch the short overview video how to find your way around discovery web frontend:
The following container engine types are supported:
- Docker,
- plain containerd,
- via the CRI Evented PLEG API: containerd and CRI-O,
- socket-activatable podman – via the Docker-compatible API only. Please note that there is no support for podman-proprietary pods (not to be confused with Kubernetes pods).
The lxkns discovery engine can be operated as a stand-alone REST service with
additional web UI. Alternatively, it can be embedded/integrated into other
system diagnosis tools. A prominent example of embedding lxkns is
@siemens/ghostwire.
Caution
Do not use VSCode's "Dev Containers: Clone Repository in Container
Volume" command, as it is utterly broken by design, ignoring
.devcontainer/devcontainer.json.
git clone https://github.com/thediveo/lxkns- in VSCode: Ctrl+Shift+P, "Dev Containers: Open Workspace in Container..."
- select
lxkns.code-workspaceand off you go...
lxkns supports versions of Go that are noted by the Go release
policy, that is, major
versions N and N-1 (where N is the current major version).
Please see CONTRIBUTING.md.
lxkns is Copyright 2020‒26 Harald Albrecht, and licensed under the Apache
License, Version 2.0.