Reputation: 334
Is docker container completely isolated with outside of the docker container?
I wonder whether things like shell script execution can affect on the outside of the container. For example, let's say I want to save some file at the host machine from inside of the container, not using docker volumes or mount. Is that can be done? Or let's say I want to kill a process which is running on the host machine with shell commands from inside of the container. Is that can be done?
Upvotes: 2
Views: 1766
Answers (2)
Reputation: 789
No, that is not possible, a docker container environment is completely isolated from the host, the only way to change some files in the host is by mounting a volume from the host to the container, you can kill an external PID but it's not a common practice.
Docker takes advantage of Linux namespaces to provide the isolated workspace we call a container. When a container is deployed, Docker creates a set of namespaces for that specific container, isolating it from all the other running containers. The various namespaces created for a container include:
- PID Namespace: Anytime a program starts, a unique ID number is assigned to the namespace that is different than the host system. Each container has its own set of PID namespaces for its processes.
- MNT Namespace: Each container is provided its own namespace for mount directory paths.
- NET Namespace: Each container is provided its own view of the network stack avoiding privileged access to the sockets or interfaces of another container.
- UTS Namespace: This provides isolation between the system identifiers; the hostname and the NIS domain name.
- IPC Namespace: The inter-process communication (IPC) namespace creates a grouping where containers can only see and communicate with other processes in the same IPC namespace.
Containers allow developers to package large or small amounts of code and their dependencies together into an isolated package. This model then allows multiple isolated containers to run on the same host, resulting in better usage of hardware resources, and decreasing the impact of misbehaving applications on each other and their host system.
I hope it may help you.
Upvotes: 2
Related Questions
- Are docker containers totally isolated from the host machine OS?
- Can Docker containers in a single swarm stack be isolated from each other?
- Are Docker containers tied to the underlying host OS?
- Understanding Docker network isolation
- Can a container have other containers within it?
- Docker Host Security - Can container run dangerous code or change host from inside of a container?
- Using multiple docker containers on the same host securely like isolated instances
- Does containers depends on to a specific host?
- Can dockerized containers truly run on any Linux node?
- Docker container isolation, does it care about underlying Linux OS?