> For the complete documentation index, see [llms.txt](https://philipzheng.gitbook.io/docker_practice/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://philipzheng.gitbook.io/docker_practice/security/kernel_ns.md). # 核心命名空間 Docker 容器和 LXC 容器很相似,所提供的安全特性也差不多。當用 `docker run` 啟動一個容器時,在後臺 Docker 為容器建立了一個獨立的命名空間和控制組集合。 命名空間提供了最基礎也是最直接的隔離,在容器中執行的程式不會被執行在主機上的程式和其它容器發現和作用。 每個容器都有自己獨有的網路堆疊,意味著它們不能存取其他容器的 sockets 或介面。不過,如果主機系統上做了相應的設定,容器可以像跟主機互動一樣的和其他容器互動。當指定公共連接埠或使用 links 來連線 2 個容器時,容器就可以相互通訊了(可以根據設定來限制通訊的策略)。 從網路架構的角度來看,所有的容器透過本地主機的橋接器介面相互通訊,就像物理機器透過物理交換機通訊一樣。 那麽,核心中實作命名空間和私有網路的代碼是否足夠成熟? 核心命名空間從 2.6.15 版本(2008 年 7 月發布)之後被引入,數年間,這些機制的可靠性在諸多大型生產系統中被實踐驗證。 實際上,命名空間的想法和設計提出的時間要更早,最初是為了在核心中引入一種機制來實作 [OpenVZ](http://en.wikipedia.org/wiki/OpenVZ) 的特性。 而 OpenVZ 專案早在 2005 年就發布了,其設計和實作都已經十分成熟。 --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://philipzheng.gitbook.io/docker_practice/security/kernel_ns.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.