undefined | Better HN

0 pointsj4hdufd84y ago0 comments

> All Linux containers leak the host kernel no?

Curious in what way?

0 comments

See any explanation of what a linux container is[0]. Containers in linux are a patchwork of various features that "contain" a process group in different ways while sharing the kernel with the rest of the system.

Running either of

    docker run --rm --entrypoint /bin/uname alpine:latest -a

    uname -a

gives you the same kernel version. The only difference will be in the hostname.

[0]: https://embeddedbits.org/introduction-linux-containers/

IceWreck4y ago

That's the difference between a container and a VM. VM runs its own kernel. A container relies on the host kernel and the host machine's kernel does all the scheduling, memory management, etc.

pmontra4y ago

See the other replies and if you're on Linux run

  ps -ef

on the host and you'll see the processes in the containers too. That doesn't happen if those processes run in a VM.

mkdirp4y ago

This is by design. The kernel still runs the processes inside the container. If you namespace the user running `ps`, it will not be able to see the container processes. The only reason you're seeing them is because you're in the default (root?) namespace.

The container on the other hand cannot see the host's processes or other things. At least not without an exploit.

j / k navigate · click thread line to collapse