What makes a process a container to the kernel
WHAT IT TESTS: container internals beyond the basics. OUTLINE: namespaces isolate and cgroups limit, but also capabilities, seccomp filters, mount/pivot_root for the rootfs, and SELinux/AppArmor labels.
WHAT IT TESTS: depth on how the kernel views a container. ANSWER OUTLINE: a container is an ordinary process that the kernel has decorated. Namespaces give it isolated views and cgroups cap its resources, but going further it also has a restricted capability set, a seccomp filter limiting syscalls, a pivoted root filesystem via mount namespace and pivot_root, and MAC labels from SELinux or AppArmor. It shares the host kernel; there is no separate OS. RED FLAG: stopping at namespaces and cgroups or implying a guest kernel like a VM.
Read the original → interview
- #containers
- #linux
- #namespaces
- #cgroups
- #security
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.