Shulou(Shulou.com)06/01 Report--

This article focuses on "how the docker container isolates processes". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "the way docker containers isolate processes".

The isolation of process by docker container is mainly realized by two technical points: Namespace technology and Cgroups technology.

Namespace technology

Namespace is not a new technology, it is the default API provided by the Linux operating system, including PID Namespace, Mount Namespace, IPC Namespace, Network Namespace and so on.

Take PID Namespace as an example, its function is that when we create a process, we can tell the Linux system that the process we want to create needs a new independent process space, and the PID=1 of the process in this new process space, that is, the process can only see things in this new process space, can not see things in the external host environment, and can not see other processes (but this is just a virtual space In fact, the process does not change what PID should be or what it should be in the host, except that in this process space, the process thinks it is its own PID=1).

In addition, the technical principle of Network Namespace is similar, so that this process can only see the network devices in the current Namespace space, not the real situation of the host. Namespace technology actually modifies the visual scope of the application process, but the nature of the application process does not change.

Cgroups technology

The function of Cgroup is to limit the maximum resources used by the process group (these resources can be CPU, memory, disk, and so on).

Namespace technology can only change the visual range of the process group, and can not really limit the resources. In order to prevent containers (processes) from robbing each other for resources, or even if a container uses up all the host resources, other containers will also fail. Therefore, Cgroup technology must be used to limit the resources of the container.

Cgroup technology is also the default function provided by Linux. Under the / sys/fs/cgroup of the Linux system, there are some subdirectories cpu, memory, and so on. The function provided by Cgroup technology is that these resources can be limited based on these directories. Cgroup also applies the same principle to other memory, disk and other resources.

At this point, I believe that you have a deeper understanding of "docker container isolation of processes", might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.