Can docker isolate resources?

Docker can isolate resources.

The essence of a docker container is a process on the host.

Docker implements resource isolation through namespace, resource limitation through cgroups, and efficient file operations through *copy-on-write mechanism*.

The namespace mechanism provides a resource isolation solution.

PID, IPC, Network and other system resources are no longer global, but belong to a specific Namespace.

The resources under each namespace are related to the resources under other namespaces. Transparent, invisible.

One of the main purposes of the Linux kernel implementing namespace is to implement lightweight virtualization (container) services. Processes in the same namespace can perceive each other's changes and know nothing about external processes. To achieve independence and isolation.

What can be isolated by namespace:

The file system needs to be isolated

The network also needs to be isolated

Inter-process communication Also need to be isolated

For permissions, users and user groups also need to be isolated

The PID in the process also needs to be isolated from the PID in the host

The container must also have Own host name

With the above isolation, we believe that a container can be isolated from the host and other containers.

It happens that Linux namespace can do this.

For more related tutorials, please pay attention to the docker tutorial column on the PHP Chinese website.

The above is the detailed content of Can docker isolate resources?. For more information, please follow other related articles on the PHP Chinese website!