Question

how docker provides an isolated workspace to keep applications on the same host or cluster isolated from one another

Answer 1

With the various features of its underlying linux kernel, Docker provides isolation using:

• Namespaces: Using kernel namespaces, Docker provides isolated workspace called the container. As the containers start running, Docker creates a set of namespaces for them to give a layer of isolation. Every aspect of these containers run in separate namespaces and their access is only valid for their own namespaces. On Linux, Docker Engines use these namespaces:
  1. For process isolation: PID
  2. For managing network interfaces: NET
  3. For managing access to IPC resources: IPC
  4. For managing filesystem mount points: MNT
  5. For isolating kernel and version identifiers: UTS
• Cgroups: Using kernel control groups (cgroups), Docker provides resource isolation and allocation. Control groups limit applications to some specific sets of hardware resources and let Docker Engine share these resources to containers and apply constraints and limits. On Linux, Docker Engines use these cgroups:
  1. For managing notifications, limits and accounting: Memory cgroup
  2. For accounting usage of huge pages by process group: HugeTBL cgroup
  3. For managing system or user CPU usage: CPU cgroup
  4. For binding a group to specific CPU: CPUSet cgroup
  5. For checking & restricting amount of blckIO by group: BlkIO cgroup
  6. For tagging the traffic control: net_cls and net_prio cgroup f
  7. For reading / writing access devices: Devices cgroup
  8. For freezing a group: Freezer cgroup