virtual machine - Docker Processes Shown on Host Process List

Question

I was setting up a Selenium server using docker, basically following this github tutorial.

I have no problem setting up the server, but I noticed that the processes that I started inside the docker image actually got shown up on my host process list.

As you can see in the screen shot, the docker ran a bash script and also executed a jar file, which I assume should only happen inside the box. Does this mean the user from the host could possibly kill a certain process outside the container which will totally screw up the world inside the box?

When I stopped the container, all the processes went away as I expected.

Is this the way Docker is designed for.. and the flawed isolation is what you have to accept in trade for the lightweight comparing with Virtualbox/Vagrant... or I am doing anything wrong?

Thanks!

Answer 1

This seems to be a common misconception about Docker being lightweight virtual machine" that is why some might expect similar behavior as VirtualBox or VMWare but just faster.

Docker does not use virtualization, so all processes run by the native host kernel just isolated from each other. Non-root user cannot kill processes inside container, but root can stop the entire container not only kill a process.

To distinguish between processes running inside container and others, run top then press shift+f and select the nsPID and nsUSER as shown in the attached screenshot.

Then you will see beside each process the namespace if it is running on the server directly this value most likely will be empty and if the process running inside a container you will see the namespace id for each container. (you can sort by the namespace to see processes in each container)