Kernel security
The kernel provides two technologies for containers cgorups and namespaces, which restrict and isolate the containers respectively, making the container feel like it is using a separate host environment.
·Cgroups resource restrictions
Containers are essentially processes. The existence of cgroups is to limit the use of resources of different containers on the host and prevent a single container from consuming host resources and causing exceptions to other containers.
·namespaces resource isolation
In order to keep the container in an independent environment, docker uses namespaces technology to isolate the container, so that the container and the host are isolated from each other.
Docker currently only has complete support for five namespaces: uts, IPC, pid, network, and mount, and user namespace has not yet been fully supported. In addition to the above resources, there are many system resources that have not been isolated, such as /proc and /sys information not being isolated, and SELinux, time, syslog and /dev equipment information are not isolated. It can be seen that in terms of kernel security, although it has reached a basic level of availability, it is still a certain distance from true security.
Network security between containers
When Docker daemon specifies the --icc flag, communication between containers can be prohibited, which is mainly achieved by setting iptables rules. For content about iptables, please refer to:Detailed explanation Docker uses Linux iptables and Interfaces to manage container networksand other related content on this site.
The above is all about this article about kernel security and network security between Docker security mechanism and containers. I hope it will be helpful to everyone.