当我执行"ps aux"操作时,为什么能看到docker容器进程?在主机上? [英] Why can I see the docker container process when I do a "ps aux" on the host?
问题描述
从主持人:
ps aux | grep java
me@my-host:~/elastic-search-group$ ps aux | grep java
smmsp 20473 106 6.3 4664740 257368 ? Ssl 17:48 0:09 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.3.4.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start
然后将exec放入容器中
Then exec into the container:
docker exec -it 473 /bin/bash
看一下过程:
root@473c4548b06f:/usr/share/elasticsearch# ps aux | grep java
elastic+ 1 14.0 6.3 4671936 257372 ? Ssl 17:48 0:10 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/sh
从主持人:
sudo kill -9 20473
最终杀死了Docker容器.
ends up killing the docker container.
现在,我可能会弄错了,但是我认为存在完全的流程隔离吗?这应该流向主机吗?
Now, I may be mistaken, but I thought there was complete process segregation? Is this supposed to bleed out to the host?
推荐答案
容器与主机隔离,主机与容器未隔离.因此,从主机可以看到容器内使用的文件,网络连接,网络接口,进程等.但是从容器中,您只能看到容器中的内容(除非在run命令中配置了任何特权提升).
The container is isolated from the host, the host is not isolated from the container. So from the host, you can see the files, network connections, network interfaces, processes, etc, that are used inside the container. But from the container, you can only see what's in the container (barring any privilege escalation configured in the run command).
这篇关于当我执行"ps aux"操作时,为什么能看到docker容器进程?在主机上?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
