官术网_书友最值得收藏!

Linux containers

As mentioned in the previous section, Docker containers are secured and isolated from each other. In Linux, Docker containers use several standard features of the Linux kernel. This includes:

  • Linux namespaces: It is a feature of Linux kernel to isolate resources from each other. This allows one set of Linux processes to see one group of resources while allowing another set of Linux processes to see a different group of resources. There are several kinds of namespaces in Linux: Mount (mnt), Process ID (PID), Network (net), User ID (user), Control group (cgroup), and Interprocess Communication (IPC). The kernel can place specific system resources that are normally visible to all processes into a namespace. Inside a namespace, a process can see resources associated with other processes in the same namespace. You can associate a process or a group of processes with their own namespace or, if using network namespaces, you can even move a network interface to a network namespace. For example, two processes in two different mounted namespaces may have different views of what the mounted root file system is. Each container can be associated with a specific set of namespaces, and these namespaces are used inside these containers only.
  • Control groups (cgroups): These provide an effective mechanism for resource limitation. With cgroups, you can control and manage system resources per Linux process, increasing overall resource utilization efficiency. Cgroups allow Docker to control resource utilization per container.
  • SELinux: Security Enhanced Linux (SELinux) is mandatory access control (MAC) used for granular system access, initially developed by the National Security Agency (NSA). It is an additional security layer for Debian and RHEL-based distributions like Red Hat Enterprise Linux, CentOS, and Fedora. Docker uses SELinux for two main reasons: host protection and to isolate containers from each other. Container processes run with limited access to the system resources using special SELinux rules.

The beauty of Docker is that it leverages the aforementioned low-level kernel technologies, but hides all complexity by providing an easy way to manage your containers.

主站蜘蛛池模板: 青神县| 龙井市| 桐柏县| 商水县| 栾川县| 正蓝旗| 卢龙县| 天峻县| 扶风县| 铁岭市| 唐山市| 个旧市| 神农架林区| 左云县| 封开县| 海阳市| 青龙| 西乌珠穆沁旗| 西城区| 新乐市| 商河县| 万全县| 城口县| 夏邑县| 凤凰县| 临汾市| 营口市| 阿尔山市| 海盐县| 武城县| 邵阳县| 独山县| 敦化市| 桦川县| 凌海市| 贡山| 桦川县| 武邑县| 万源市| 遂宁市| 金阳县|