May 22, 2021 Docker From entry to practice
Namespace is a powerful feature of the Linux kernel. E ach container has its own name space, and the applications that run in it run as if they were running on a separate operating system. Namespaces ensure that containers do not affect each other.
Processes for different users are isolated through the pid namespace, and the same pid can be used in different namespaces. T he parent process for all LXC processes in Docker is the Docker process, and each LXC process has a different namespace. It is also convenient to implement nested Docker containers because nesting is allowed.
With the pid namespace, pids in each namespace can be isolated from each other, but the network port is still the port that shares the host. N etwork isolation is achieved through the net namespace, each with a separate network device, IP address, routing table, /proc/net directory. T his allows the network of each container to be isolated. Docker uses veth by default to connect the virtual network card in the container to a Docker bridge docker0 on the host.
Process interactions in containers also use the interprocess communication - IPC method commonly used in Linux, including sedum, message queues, shared memory, and so on. Unlike VMs, however, inter-process interactions on containers are actually inter-process interactions in the same pid namespace on the host, so you need to include namespace information when applying for IPC resources, each with a unique 32-bit id.
Similar to chroot, a process is executed at a specific directory. T he mnt namespace allows processes in different namespaces to see different file structures, so that the file directories seen by processes in each namespace are separated. Different from chroot, the container in each namespace contains only the mount point of the namespace in the /proc/mounts information.
The UTS ("UNIX Time-sharing System") namespace allows each container to have a separate hostname and domain name, making it available on the network as a separate node rather than a process on the host.
Each container can have different users and group ids, which means that users inside the container can execute programs with users inside the container instead of users on the host.
Note: This article is very good about the name space on Linux.