With the various features of its underlying linux kernel, Docker
provides isolation using:
- Namespaces: Using kernel namespaces, Docker
provides isolated workspace called the container. As the containers
start running, Docker creates a set of namespaces for them to give
a layer of isolation. Every aspect of these containers run in
separate namespaces and their access is only valid for their own
namespaces. On Linux, Docker Engines use these namespaces:
- For process isolation: PID
- For managing network interfaces: NET
- For managing access to IPC resources: IPC
- For managing filesystem mount points: MNT
- For isolating kernel and version identifiers: UTS
- Cgroups: Using kernel control groups
(cgroups), Docker provides resource isolation and allocation.
Control groups limit applications to some specific sets of hardware
resources and let Docker Engine share these resources to containers
and apply constraints and limits. On Linux, Docker Engines use
these cgroups:
- For managing notifications, limits and accounting: Memory
cgroup
- For accounting usage of huge pages by process group: HugeTBL
cgroup
- For managing system or user CPU usage: CPU cgroup
- For binding a group to specific CPU: CPUSet cgroup
- For checking & restricting amount of blckIO by group: BlkIO
cgroup
- For tagging the traffic control: net_cls and net_prio cgroup
f
- For reading / writing access devices: Devices cgroup
- For freezing a group: Freezer cgroup