Containers are structures and tools for allowing Linux to execute processes in completely separate areas, that is: Virtual Environments (VE).
The separation should be concern the three following:
- File System (chroot)
- Process (namespaces)
- Resource (cgroups)
See also:
http://www.haifux.org/lectures/299/netLec7.pdf
NameSpaces - Processes
Currently, in Linux there are 6 namespaces:
- uts: separation of values provided by uname
- pid: moltiplication of Process Addressing Spaces
- ipc: separation of IPC structures (mainly Message Queue)
- mnt: isolating mount point
- net: isolating network resources
- usr: separation of users between containers and guest system
See also:
https://lwn.net/Articles/531114/
http://man7.org/linux/man-pages/man7/namespaces.7.html
CGroups - Resourses
Currently, in Linux there are x Control Groups:
See also:
https://lwn.net/Articles/604609/
http://man7.org/linux/man-pages/man5/systemd.cgroup.5.html
http://www.janoszen.com/2013/02/06/limiting-linux-processes-cgroups-expl...
Docker - Security