What can docker isolate?

Docker’s isolation mainly uses Namespace technology.

What can be isolated by namespace:

1. The file system needs to be isolated

2. The network also needs to be isolated

3. Inter-process communication also needs to be isolated

4. Regarding permissions, users and user groups also need to be isolated

5. The PID within the process also needs to be isolated from the PID in the host

What are the disadvantages of using Namespace to isolate containers?

The biggest disadvantage is that the isolation is not complete.

1) Container knowledge is a special process running on the host, so multiple containers use the same host operating system kernel.

2) In the Linux kernel, there are many resources and objects that cannot be namespaced. The most typical example is: time, that is, if a container modifies the time, the time of the entire host will change accordingly. modification.

3) The attack surface exposed by containers to applications is relatively large. In a production environment, no one dares to expose Linux containers running on physical machines to the public network.

For more related tutorials, please pay attention to thedocker tutorialcolumn on the PHP Chinese website.

The above is the detailed content of What can docker isolate?. For more information, please follow other related articles on the PHP Chinese website!