Why can I see the docker container process when I do a “ps aux” on the host?

From the host:

ps aux | grep java

me@my-host:~/elastic-search-group$ ps aux | grep java
smmsp    20473  106  6.3 4664740 257368 ?      Ssl  17:48   0:09 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.3.4.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start

Then exec into the container:

  • Private network issues with docker
  • Vagrant managed docker container doesn't start
  • docker-compose restart inverval
  • Deploy web app having db on different container and use service discovery for communication
  • Docker: One image per user? Or one image for all users?
  • How to mount a directory in docker container to host
  • docker exec -it 473 /bin/bash
    

    And look at the processes:

    root@473c4548b06f:/usr/share/elasticsearch# ps aux | grep java                                                                                                               
    elastic+     1 14.0  6.3 4671936 257372 ?      Ssl  17:48   0:10 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/sh
    

    From the host:

    sudo kill -9 20473
    

    ends up killing the docker container.

    Now, I may be mistaken, but I thought there was complete process segregation? Is this supposed to bleed out to the host?

  • Customize mongo docker raise an error when I try to create a new user for database
  • Simple Shell Script: Dead Docker Containers
  • $(pwd) - one level up
  • Rancher: Multiple hosts in the same physical machine
  • Deploy Ansible project which include a docker-compose.yml
  • Supervisord haproxy reload not working [closed]
  • One Solution collect form web for “Why can I see the docker container process when I do a “ps aux” on the host?”

    The container is isolated from the host, the host is not isolated from the container. So from the host, you can see the files, network connections, network interfaces, processes, etc, that are used inside the container. But from the container, you can only see what’s in the container (barring any privilege escalation configured in the run command).

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.