Slide 47
Slide 47 text
@k2r2bai
• Namespaces: Isolate kernel data structures, such as processes, mount tables,
network interfaces, and others. Not all kernel data structures have namespace
isolation, such as the clock, audit logs, and keyrings.
• cgroups: Limits, controls, and accounting of compute resources and devices.
Examples include limiting and accounting CPU, memory and network usage, hiding
devices, and limiting the number of process IDs.
• Users: Core linux permission model. Mostly used for filesystem permissions (DAC)
and process signaling.
Current State of Container Isolation