Containers ensure isolation through several key Linux kernel features:
-
Namespaces: Namespaces provide a way to isolate various system resources for each container. Different types of namespaces include:
- PID Namespace: Isolates process IDs, so processes in one container cannot see or interact with processes in another container.
- Mount Namespace (MNT): Allows containers to have their own filesystem views, enabling them to mount and unmount directories without affecting others.
- Network Namespace (NET): Provides each container with its own network stack, including IP addresses, routing tables, and network interfaces.
- IPC Namespace: Isolates interprocess communication resources, such as message queues and semaphores, preventing containers from interfering with each other.
- User Namespace: Allows containers to have their own user and group IDs, providing an isolated view of users.
-
Control Groups (cgroups): Cgroups limit and prioritize the amount of resources (CPU, memory, disk I/O, etc.) that each container can use. This prevents any single container from monopolizing system resources and ensures fair resource allocation among containers.
-
Seccomp: Seccomp (secure computing mode) is a Linux kernel feature that restricts the system calls a container can make. This adds an additional layer of security by limiting the actions that can be performed within a container.
-
SELinux/AppArmor: These are security modules that enforce access control policies, providing an additional layer of security by restricting what containers can access on the host system.
Together, these features create a secure and isolated environment for each container, allowing multiple containers to run on the same host without conflicts or interference.
