What is the isolation of docker containers by?

Docker containers achieve isolation through the Linux kernel technology Namespace; the "Linux Namespaces" mechanism provides a resource isolation solution. The resources under each namespace are transparent and invisible to the resources under other namespaces. Therefore, at the operating system level, there will be multiple processes with the same pid.

The operating environment of this tutorial: linux7.3 system, docker version 19.03, Dell G3 computer.

What is the isolation of docker containers?

Docker mainly relies on the Linux kernel technology Namespace to achieve isolation. The Linux Namespaces mechanism provides a resource isolation solution.

PID, IPC, Network and other system resources are no longer global, but belong to a specific Namespace. Resources under each namespace are transparent and invisible to resources under other namespaces. Therefore, at the operating system level, there will be multiple processes with the same pid. There can be two processes with process numbers 0, 1, and 2 in the system at the same time. Since they belong to different namespaces, there is no conflict between them. At the user level, only resources belonging to the user's own namespace can be seen. For example, using the ps command can only list processes under the user's own namespace. This way each namespace looks like a separate Linux system.

The example is as follows: Process isolation

Start a container

docker run -it -p 8080:8080 --name pai-sn pai-sn:snapshot /bin/bash

-it Interactive startup, -p port mapping, –name The container name is followed by the image name, open the shell, and enter the container after startup

View process

ps -ef

Use the top command to view process resources

View the process currently executing the container on the host machine ps -ef|grep pai-sn

From this, we can know that the docker run command starts only one process, and its pid is 4677. As for the container program itself, it is isolated, and only its own internal processes can be seen inside the container. Docker is implemented with the help of the Namespace technology of the Linux kernel.

File isolation

Execute the ls command in the root directory inside the container

Inside the container These folders have been included

The host executes docker info to see what file system our Docker uses

The Docker version is 20.10 .6. The storage driver is overlay2. Different storage drivers behave differently in Docker, but the principles are similar.

The Docker file system is mounted through mount. Execute docker ps command instance id

Execute docker inspect container_id | grep Mounts -A 20 to find Mount the directory on the host machine, check the directory list

and find that this is consistent with the directory of our container, we create a new directory in this directory, and then look See if a new directory will appear inside the container. In fact, file isolation and resource isolation are all done by mounting in the new namespace.

Recommended learning: "docker video tutorial"

The above is the detailed content of What is the isolation of docker containers by?. For more information, please follow other related articles on the PHP Chinese website!