Should processes run on docker be visible to the outside operating system?

Question

I have a docker container with a program that compiles a certain C++ code to an a.out file and then runs it.

When I run it, I see a.out in "top" outside the docker. I can even kill this process from outside docker.

Is this the expected behavior? I.e, if a process is run within docker, can it be seen and killed from outside docker? Or maybe I am using docker in a wrong way?

Answer 1

Unlike virtual machines, Docker isolates processes by using the Linux namespaces mechanism (and this is why we call Docker a lightweight isolation environment). There are namespaces for pid, network, uid, and some more. In this case, we care about the pid namespace.

You can find detailed discussion from the pid_namespaces man page. Here I'm only picking out the related information:

PID namespaces can be nested: each PID namespace has a parent, except for the initial ("root") PID namespace.

A process is visible to other processes in its PID namespace, and to the processes in each direct ancestor PID namespace going back to the root PID namespace. In this context, "visible" means that one process can be the target of operations by another process using system calls that specify a process ID.

When executing the top command outside the container, you are inspecting processes from the view of the top-level (root) pid namespace.