Docker安全性解析-内核命名空间Kernel Namespaces

Kernel Namespaces 内核命名空间

Docker容器十分类似LXC容器,他们实现了相同的安全特性。在你使用 docker run,启动一个Docker容器的时候,  Docker 会创建设置一个 namespaces 和 control groups 来配合容器。



How mature is the code providing kernel namespaces and private networking? Kernel namespaces were introduced between kernel version 2.6.15 and 2.6.26. This means that since July 2008 (date of the 2.6.26 release, now 5 years ago), namespace code has been exercised and scrutinized on a large number of production systems. And there is more: the design and inspiration for the namespaces code are even older. Namespaces are actually an effort to reimplement the features of OpenVZ in such a way that they could be merged within the mainstream kernel. And OpenVZ was initially released in 2005, so both the design and the implementation are pretty mature.