Container

• isolated execution environments leveraging two key kernel features: cgroups and namespaces.
• cgroups (control groups) govern and isolate resource usage for processes.
  • Processes are organized hierarchically into cgroups.
  • Each cgroup enforces limits on resources like CPU time, memory, network bandwidth, and I/O.
• Namespaces provide process isolation by creating virtual views of system resources.

Containers utilize both cgroups and namespaces to create isolated environments.

1. Namespaces isolate: Processes, network resources, mount points, etc., creating the perception of a separate system.
2. cgroups limit and manage: Resource utilization within these isolated namespaces, ensuring predictable behavior.

• Container security relies heavily on the Linux kernel. Kernel vulnerabilities can impact container isolation.
• While providing strong isolation, containers are not virtual machines. They share the host kernel, unlike VMs which have their own kernel.
• managing multiple containers can be a task in itself, especially in a distributed context. checkout orchestration.