Build Your Own Docker: Isolating a process [2/2]
This is the second article in a series where we’ll build a toy Docker clone in Go.
Previous article: Executing a process
Sections in this article:
Isolating the filesystem
Isolating the process tree
Other types of isolation
In this article, we saw how to isolate a container’s filesystem and process tree. There are other levels of isolation that Docker provides (but we won’t implement in this series), such as:
- Network. Containers can be restricted to only access a public network, and not your machine’s private network.
- Host name. Containers can be restricted to not be allowed to read/modify the host’s hostname.
- (and many more..)
Most of these are implemented using the Linux Kernel’s namespaces feature. For a more detailed analysis, read:
In the next article, we’ll look at how Docker pulls images from a docker registry.