when we pull ubuntu image then it have different kernel
不,它没有:它没有内核部分:它依赖于所有system calls的主机内核(运行docker引擎的内核).
Initially Docker was built as an abstraction layer on top of Linux Containers (LXC). LXC itself is a just an API for the Linux containment features.
Starting with Docker 0.9, LXC is not the default anymore and has been replaced with a custom library (libcontainer) written in Go. Overall libcontainer’s advantage is a more consistent interface to the Kernel across various Linux distributions. The only gotcha is that it requires Linux 3.8 and higher.
Containers are the products of operating system virtualization. They provide a lightweight virtual environment that groups and isolates a set of processes and resources such as memory, CPU, disk, etc., from the host and any other containers.
The isolation guarantees that any processes inside the container cannot see any processes or resources outside the container.
OS containers are virtual environments that share the kernel of the host operating system but provide user space isolation
如果需要更多隔离,请考虑gVisor(https://github.com/google/gvisor),这是一个容器沙箱运行时,专注于安全性,效率和易用性. (2018).
见架构:
gVisor intercepts application system calls and acts as the guest kernel, without the need for translation through virtualized hardware.
gVisor may be thought of as either a merged guest kernel and VMM, or as seccomp on steroids.
This architecture allows it to provide a flexible resource footprint (i.e. one based on threads and memory mappings, not fixed guest physical resources) while also lowering the fixed costs of virtualization.
However, this comes at the price of reduced application compatibility and higher per-system call overhead.