Container Isolation — What Separates Containers From Each Other
What Is Container Isolation in Simple Terms?
Container isolation is the set of boundaries Docker creates around each container process. These boundaries are implemented by the Linux kernel using two technologies: namespaces (which control what the process can see) and cgroups (which control what resources it can use).
The important thing to understand: containers are NOT virtual machines. They share the host kernel. The isolation is real and effective for most purposes, but it is not as complete as VM isolation.
◈ DIAGRAM
+------------------------------------------+| Virtual Machine Isolation || Complete OS boundary || Different kernel per VM || Kernel exploit in one VM: || cannot affect other VMs || Escape difficulty: very high |+------------------------------------------+ +------------------------------------------+| Container Isolation || Namespace + cgroup boundary || Shared kernel || Kernel exploit: || could affect all containers on host || Escape difficulty: moderate || But: more than enough for most workloads |+------------------------------------------+The Six Namespaces Docker Uses
Bash
# PID namespace — container has its own process tree# Container sees PID 1 (nginx), host sees PID 12345docker exec my-nginx ps aux# PID 1 = nginx master ps aux | grep nginx# PID 12345 = nginx master (same process, different view) # NET namespace — container has own network interfacesdocker exec my-nginx ip addr# eth0: 172.17.0.2 <- container sees its own interface ip addr # on host# docker0: 172.17.0.1 <- host sees bridge interface # MNT namespace — container has own filesystem view# /etc/nginx/nginx.conf exists in container# same path does not exist on host # UTS namespace — container has own hostnamedocker exec my-nginx hostname# a84f9c2b1d3e <- container ID as hostname hostname # on host# prod-server-01cgroups — Resource Isolation
Bash
# Set memory and CPU limitsdocker run -d \ --memory=512m \ --cpus=1.5 \ payment-api:latest # Kernel enforces these limits# Memory exceeded: process killed (OOMKill)# CPU exceeded: process throttled # Verify cgroup limits are setcat /sys/fs/cgroup/memory/docker/$(docker inspect \ --format '{{.Id}}' payment-api)/memory.limit_in_bytes# 536870912 = 512MBIsolation Limitations
TEXT
What containers DO isolate: Filesystem (each container has its own view) Network (each container has its own interfaces) Processes (containers cannot see each other's processes) Hostname (each container has its own hostname) Resources (cgroups limit CPU and memory) What containers do NOT isolate: The Linux kernel (shared by all containers) Kernel vulnerabilities (affect all containers on host) Time (containers share host clock) System calls (containers use host kernel syscalls)COMMON MISTAKE / WARNING**Security:** Container isolation is sufficient for running trusted workloads on a shared host. For running untrusted code (like user-submitted programs), consider stronger isolation: gVisor (Google's container runtime with its own kernel), Kata Containers (lightweight VMs), or Firecracker (microVMs used by AWS Lambda and Fargate). These provide VM-level isolation with container-level startup speed.