When working with network namespaces in Linux, you'll often find two common commands recommended:
ip netns list
lsns --type=net
However, these methods have significant limitations:
ip netns listonly shows namespaces registered in /var/run/netnslsns --type=netonly displays namespaces with at least one running process
Network namespaces are actually represented as files in the /proc filesystem. Each namespace has an inode number that uniquely identifies it. The most reliable way to find all network namespaces is to examine these files directly.
Here's a robust method to list all network namespaces, including those used by Docker and other container runtimes:
sudo find /proc/[0-9]*/ns/net -type l -exec readlink {} \; | sort -u
This command:
- Finds all net namespace files in /proc/[pid]/ns/net
- Reads the symbolic links to get the inode numbers
- Sorts and removes duplicates
For a more human-readable output, you can combine the find command with nsenter:
for namespace in $(sudo find /proc/[0-9]*/ns/net -type l -exec readlink {} \; | sort -u); do
sudo nsenter --net=/proc/1/ns/net ip netns list | grep "$namespace" || echo "Unnamed namespace: $namespace"
done
Docker stores its network namespaces in a different location (/var/run/docker/netns). To include these, run:
sudo ls -1 /var/run/docker/netns/
Combine this with our previous approach for a complete view:
{
sudo find /proc/[0-9]*/ns/net -type l -exec readlink {} \; | sort -u
sudo ls -1 /var/run/docker/netns/ | xargs -I {} readlink /var/run/docker/netns/{}
} | sort -u
Once you have the namespace identifiers, you can inspect them:
# Get the PID for a namespace
NAMESPACE_ID="net:[4026531992]"
PID=$(sudo find /proc/[0-9]*/ns/net -ls | grep "$NAMESPACE_ID" | awk '{print $11}' | cut -d/ -f3)
# Enter the namespace
sudo nsenter -t $PID -n ip addr
For regular use, consider creating a shell script:
#!/bin/bash
echo "=== All Network Namespaces ==="
echo "1. System namespaces:"
sudo find /proc/[0-9]*/ns/net -type l -exec readlink {} \; | sort -u
echo -e "\n2. Docker namespaces:"
sudo ls -1 /var/run/docker/netns/ 2>/dev/null || echo "No Docker namespaces found"
echo -e "\n3. ip netns registered namespaces:"
ip netns list 2>/dev/null || echo "No ip netns registered namespaces"
When working with Linux network namespaces, you'll quickly discover that standard tools don't show the complete picture. Let's examine why this happens and how to get a comprehensive list.
# Traditional method (only shows /var/run/netns)
ip netns list
# Process-based listing (only shows active namespaces)
lsns --type=net
The first approach only shows namespaces created using ip netns add, while the second only displays namespaces with running processes - missing both Docker's namespaces and empty namespaces.
Here's a comprehensive method to find all network namespace references:
# Method 1: Search through all possible mount points
sudo find /proc/[0-9]*/ns/net -type l 2>/dev/null | xargs -I {} readlink {} | sort -u
# Method 2: Check all possible namespace locations
sudo find /run -name "netns" -o -name "net" | xargs -I {} find {} -type f 2>/dev/null
For Docker specifically, you need to check its private namespace storage:
# List Docker network namespaces
sudo ls -l /var/run/docker/netns/
# Alternative for newer Docker versions
sudo docker network ls -q | xargs -I {} docker network inspect {} | grep -i "sandboxid"
Once you have the namespace identifiers, you can inspect them:
# Show namespace metadata
sudo nsenter --net=/var/run/docker/netns/<namespace_id> ip a
# Alternative using nsenter
sudo nsenter --net=/proc/<pid>/ns/net ip link list
This script helps identify namespaces without active processes:
#!/bin/bash
active_ns=$(lsns -t net | awk 'NR>1 {print $2}')
all_ns=$(find /proc/[0-9]*/ns/net -type l 2>/dev/null | xargs readlink | sort -u)
echo "Orphaned namespaces:"
comm -23 <(echo "$all_ns") <(echo "$active_ns")
To properly clean up unused namespaces:
# For ip netns created namespaces
sudo ip netns delete <namespace>
# For Docker-created namespaces (requires container cleanup first)
sudo docker network prune