Why can I see the docker container process when I do a "ps aux" on the host?

Question

From the host:

ps aux | grep java

me@my-host:~/elastic-search-group$ ps aux | grep java
smmsp    20473  106  6.3 4664740 257368 ?      Ssl  17:48   0:09 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.3.4.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start

Then exec into the container:

docker exec -it 473 /bin/bash

And look at the processes:

root@473c4548b06f:/usr/share/elasticsearch# ps aux | grep java                                                                                                               
elastic+     1 14.0  6.3 4671936 257372 ?      Ssl  17:48   0:10 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/sh

From the host:

sudo kill -9 20473

ends up killing the docker container.

Now, I may be mistaken, but I thought there was complete process segregation? Is this supposed to bleed out to the host?

Answer 1

The container is isolated from the host, the host is not isolated from the container. So from the host, you can see the files, network connections, network interfaces, processes, etc, that are used inside the container. But from the container, you can only see what's in the container (barring any privilege escalation configured in the run command).