What resources cannot be isolated by docker

Docker (or Docker container) is a popular open source virtualization platform that allows applications to run in an isolated environment called a container. Docker's isolation helps us run multiple applications on the same machine without conflicts.

However, Docker is not perfect. Although Docker containers have very good isolation, they cannot isolate all resources. This article will discuss resources that Docker cannot isolate.

1. Memory

Memory is a resource that Docker cannot completely isolate. In Docker, each container can set its own memory limit so that it does not use more memory. However, if too much memory is used by other processes on the system, the performance of the Docker container may suffer. When Docker containers use less memory than they need, they start swapping memory, which results in very poor performance.

2. Hard Disk

Similar to memory, Docker containers cannot completely isolate hard disks. If a Docker container needs to access the local file system, it needs to create a directory and establish a share on the host operating system. Therefore, if other processes in the system generate intensive disk access, this may affect the performance of the Docker container.

3. Network

Docker containers can use their own network, but they cannot completely isolate the host network. This is because Docker containers may communicate with other containers or the host. Additionally, applications running in containers may require external access to services stored on the host machine, such as databases or caches. These network connections can be interfered with by other processes, causing performance issues for the container.

4. CPU

Docker itself does not limit CPU usage, but it can limit the CPU usage of each container by setting a CPU limit. However, if other processes on the system are using too much CPU resources, this will affect the performance of the Docker container. In this case, the container may experience delays and slowdowns.

5. Real-time

Real-time is also another important aspect that Docker containers cannot isolate. Docker's isolation is achieved through the "namespace" and "Cgroups" functions in the Linux kernel. This isolation mechanism is not real-time in nature. This means that in situations where other processes generate severe load, the performance of Docker containers may be affected to varying degrees.

Summary

Although Docker is a popular virtualization platform, it also has some shortcomings. It cannot isolate all resources, such as memory, hard disk, network, CPU and real-time. Although these resources cannot be completely isolated, Docker containers can still provide us with a highly isolated environment to run multiple applications and avoid conflicts between them. We can avoid the impact of these resource issues on Docker containers by better planning operating system resources.

The above is the detailed content of What resources cannot be isolated by docker. For more information, please follow other related articles on the PHP Chinese website!