Build Your Own Docker: Isolating a process [2/2]

This is the second article in a series where we’ll build a toy Docker clone in Go.

Previous article: Executing a process

Sections in this article:

• Isolating the filesystem
• Isolating the process tree
• Other types of isolation

Isolating the filesystem

Isolating the process tree

Other types of isolation

In this article, we saw how to isolate a container’s filesystem and process tree. There are other levels of isolation that Docker provides (but we won’t implement in this series), such as:

• Network. Containers can be restricted to only access a public network, and not your machine’s private network.
• Host name. Containers can be restricted to not be allowed to read/modify the host’s hostname.
• (and many more..)

Most of these are implemented using the Linux Kernel’s namespaces feature. For a more detailed analysis, read:

• Linux containers in 500 lines of code
• Build Your Own Container Using Less than 100 Lines of Go

In the next article, we’ll look at how Docker pulls images from a docker registry.