I'm trying to learn the basics about containers (Docker in this case). As far as I learn from the Docker doc and several readings, Docker basically provides isolation by running the container using runc (previously using LXC). Either ways it uses the same kernel as the host machine. Thus, the container image needs to be compatible with the host kernel. I find this very similar to what a chroot does. Could somebody explain to me any differences and/or advantages on using Docker rather than chroot? (besides the extras provided by Docker as packaging, docker-hub, and all the nice features provided by Docker)
Answer
Docker allows to isolate a process at multiple levels through namespaces:
- mnt namespace provides a root filesystem (this one can be compared to chroot I guess)
- pid namespace so the process only sees itself and its children
- network namespace which allows the container to have its dedicated network stack
- user namespace (quite new) which allows a non root user on a host to be mapped with the root user within the container
- uts provides dedicated hostname
- ipc provides dedicated shared memory
All of this adds more isolation than chroot provides