Linux Docker containers are a entwined around what’s called Linux control groups otherwise known as (
cgroups) and namespaces. Cgroups are used for Linux kernel monitoring and restricting resources among a group of set processes. The Namespace will determine what a process can see. For example, the
PID namespace will restrict what processes can be seen within a docker container.
These containers that are running on a cloud host shares a common underlying kernel. From there containers are isolated from one another, which – from a security standpoint – is advantageous. However, if the host operating system becomes compromised, all containers running on the share are equally at risk. This goes for the same if a container is using a vulnerable library, it could be exploited to gain access to the underlying host system.