Imagine two containers, Container A and Container B, both running on the same host.
> Both containers have their own network namespaces. Container A might have an IP address of 172.17.0.2, while Container B has 172.17.0.3. The host system might have a different IP entirely.
> Both containers have their own mount namespaces. They each have a root file system that appears to be the entire system to them, but in reality, these are just directories on the host.
> Both containers have their own PID namespaces. A process with PID 1 inside Container A is a different process as PID 1 on the host or in Container B.
> Both containers have their own Cgroup namespaces to control resource allocation (CPU, memory, I/O). This prevents one container from monopolizing resources and affecting the performance of the other container.
****
Control Groups (cgroups) manage and limit the resources (CPU, memory, disk I/O, etc.) that containers can use but do not provide isolation for the network stack.
Namespaces are the kernel feature that provides isolation for various system resources, including the network stack. Each container can have its own set of network interfaces, routing tables, and port spaces, ensuring that network operations within one container do not affect others or the host.
Union File Systems create a layered view of the file system, allowing containers to share a base image while having their own writable layer for changes. They don't handle network isolation.
SELinux (Security-Enhanced Linux) provides mandatory access control, enhancing security by defining fine-grained rules for process access to system resources. While it can interact with network resources, it's not the primary mechanism for network stack isolation in containers.