Home >Operation and Maintenance >Docker >What docker cannot isolate

What docker cannot isolate

青灯夜游
青灯夜游Original
2022-02-21 16:17:373463browse

Docker cannot isolate "hard disk I/O reading and writing", but it can isolate the file system, network (Network), inter-process communication, users and user groups for permissions, PID and host within the process. The PID, host name and domain name of the host are isolated.

What docker cannot isolate

The operating environment of this tutorial: linux5.9.8 system, docker-1.13.1 version, Dell G3 computer.

Docker can control many resources, but currently it cannot isolate "hard disk I/O read and write" resources.

Hard disk I/O refers to the input and output of the hard disk (abbreviation of Input and Output). It is to issue instructions to read the contents of a certain sector from the disk. The command generally informs the disk of the starting sector position, then gives the number of consecutive sectors that need to be read from this initial sector, and also gives whether the action is reading or writing.

For disk I/O resources, the parameters to consider are capacity and read and write speed, so the disk restrictions on containers should also be based on these two dimensions. Currently, Docker supports limiting the read and write speed of the disk, but there is no way to limit the disk capacity that the container can use (once the disk is mounted into the container, the container can use all the capacity of the disk).

So what resources can docker isolate?

Docker implements resource isolation through namespace, resource limitation through cgroups, and efficient file operations through *copy-on-write mechanism*.

What namespace can isolate

  • If a container wants to not interfere with other containers, it needs to be able to do the following:

  • Files The system needs to be isolated

  • The network also needs to be isolated

  • The communication between processes must also be isolated

  • For permissions, users and user groups also need to be isolated

  • The PID in the process also needs to be isolated from the PID in the host

  • Containers must also have their own host names

With the above isolation, we believe that a container can be isolated from the host and other containers.

Recommended learning: "docker video tutorial"

The above is the detailed content of What docker cannot isolate. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn