Isolation in Containers
This is achieved by using namespaces.
Docker makes containers feel like separate machines. But that isn't true.
A container is just another process with a different set of namespaces.
Image Contents
The docker image has its own userspace rootfs filesystem. It has its own /bin, /lib, /usr, and /etc. These are mounted into a new mount namespace.
Prepare Namespaces
When a container starts, the docker binary first creates all the namespaces it needs. Each new namespace is a copy of the parent process's namespace.
Then it starts the init process. That process updates the namespace content.
clone() Method
Like the Linux fork() method, containers use the clone() method to start the process. The Dockerfile's app process starts this way.
This method lets you pick which namespaces the new process needs.
When you pass --network=host to the docker command, it just skips creating the network namespace.
kernel dependency
A container has no kernel inside it. It works only on a host whose kernel it was built for.
It has its own rootfs. Still, the host kernel handles all the system calls from the binaries in that rootfs.
Container Creation Process
