✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.2.2.5 Runc Isolation Enforcement

A focused guide to Runc Isolation Enforcement, connecting core concepts with practical Docker and container operations.

Runc isolation enforcement is the combined effect of namespaces and cgroups working together, actively enforced by the Linux kernel itself for the entire lifetime of a container's process, rather than something checked only once at startup.

Enforcement Is Continuous, Not a One-Time Check

Once runc has created a container's namespaces and configured its cgroups, the kernel continuously enforces the resulting boundaries for every system call the container's process makes, for as long as that process runs — there is no point at which the isolation is "re-verified" or could lapse on its own.

docker run -d --memory=128m --name myapp myapp:1.0
docker exec myapp cat /proc/self/status

Inspecting the running container's process status from inside shows it operating within the same enforced limits the entire time it has been running, not just at the moment it started.

Attempting to Exceed Namespace Boundaries

A process inside a container that attempts to access something outside its namespace's view — for instance, trying to signal a process that exists in a different PID namespace — fails at the kernel level, because the kernel itself does not expose that process as existing from the container's vantage point.

docker exec myapp kill -9 1

Issued from inside a container, this only affects process ID 1 within that container's own PID namespace, not the host's actual process ID 1, because the namespace boundary changes what process ID 1 even refers to.

Privileged Containers Weaken Enforcement

Isolation enforcement can be deliberately weakened: a container started with elevated privileges can be granted additional capabilities that allow it to interact with the host system more directly, which is why such containers should be used cautiously and only when genuinely necessary.

docker run --privileged myapp:1.0
Verifying Enforcement Is in Effect

The strength of isolation enforcement for a given container can be inspected directly, by checking which capabilities and namespaces are actually active for its process.

docker inspect myapp --format '{{.HostConfig.Privileged}}'
Why Continuous Enforcement Matters

Because enforcement happens at the kernel level for every relevant system call, container isolation does not depend on the cooperation of the application running inside the container — even a misbehaving or compromised application remains constrained by the namespaces and cgroups configured for it, as long as no privilege escalation path exists.

Related content