I am wondering what exactly the “Namespaces support” feature in the Linux kernel means. I am using kernel 3.11.1 (the newest stable kernel at this time).
If I decide to disable it, will I notice any change on my system?
And in case somebody decides to make use of namespaces, is it enough to just compile NAMESPACES=Y in the kernel, or does he need userspace tools as well?
In a nutshell, namespaces provide a way to build a virtual Linux system inside a larger Linux system. This is different from running a virtual machine that runs as an unprivileged process: the virtual machine appears as a single process in the host, whereas processes running inside a namespace are still running on the host system.
A virtual system running inside a larger system is called a container. The idea of a container is that processes running inside the container believe that they are the only processes in the system. In particular, the root user inside the container does not have root privileges outside the container (note that this is only true in recent enough versions of the kernel).
Namespaces virtualize one feature at a time. Some examples of types of namespaces are:
Namespaces rely on the kernel to provide isolation between namespaces. This is quite complicated to get right, so there may still be security bugs lying around. The risk of security bugs would be the primary reason not to enable the feature. Another reason not to enable it would be when you're making a small kernel for an embedded device. In a general-purpose kernel that you'd install on a typical server or workstation, namespaces should be enabled, like any other mature kernel feature.
There are still few applications that make use of namespaces. Here are a few:
See the LWN article series by Michael Kerrisk for more information.
Linux kernel namespace is a concept used for isolating a group of processes from others with respect to access to a system resource. For example two different PID namespaces may contain processes with identical PIDs but completely different process image. They are often used in OS-level virtualisation, in which a single kernel is simultaneously running various operating systems - all have to be Linux based (because they share the kernel, obviously), but may be different distributions and versions. See for example LXC.
You may notice disabling it for example on systemd-based systems, since systemd is able to use namespaces for its container feature. Hence a lot depends on what distribution you are using and what you intend to do with the system.
As with almost every kernel feature, you definitely need some sort of user space programs - even if you talked to the kernel through special files (I'm not sure you can), it's usually much better idea to rely on specialized tools, since they offer fore friendly API.
To give an example of namespace usage, in SELinux (MLS or Strict) enabled systems. Namespace is typically used to create individual /tmp and or /home directories for each user. Those directories are visible only to: the user, users with the same label, the kernel and users with privileged access. The namespace-ed /tmp directory gets labeled by SELinux-MLS to match the user's SELinux-MLS label.
In this scenario the /tmp directory that the user sees may really be mounted somewhere other than /tmp (/var/user-tmp). The user however only sees /tmp with the files that are created due to the user's activity. the user will never see any files in /tmp that are the product of other users.
