Why can I see the docker container process when I do a “ps aux” on the host?

From the host:

ps aux | grep java

me@my-host:~/elastic-search-group$ ps aux | grep java
smmsp    20473  106  6.3 4664740 257368 ?      Ssl  17:48   0:09 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.3.4.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start

Then exec into the container:

  • Jenkins, Docker Build Step create container issue
  • Docker php:5.6-Apache Development Environment missing permissions on volume mount
  • How to pass container ip as ENV to other container in docker-compose file
  • Finding Containers Using Docker VirtualBox
  • How to recover from
  • Can't access docker containers when there more than 2 containers
  • docker exec -it 473 /bin/bash
    

    And look at the processes:

    root@473c4548b06f:/usr/share/elasticsearch# ps aux | grep java                                                                                                               
    elastic+     1 14.0  6.3 4671936 257372 ?      Ssl  17:48   0:10 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/sh
    

    From the host:

    sudo kill -9 20473
    

    ends up killing the docker container.

    Now, I may be mistaken, but I thought there was complete process segregation? Is this supposed to bleed out to the host?

  • Docker vs. Rocket in development
  • Where are docker images stored by boot2docker?
  • Docker how to inject host ENV into Dockerfile ENV during build?
  • Cannot change permissions of the '/' directory in Docker
  • Guacamole image in Docker getting blank login page
  • docker containers need to be secure by default?
  • One Solution collect form web for “Why can I see the docker container process when I do a “ps aux” on the host?”

    The container is isolated from the host, the host is not isolated from the container. So from the host, you can see the files, network connections, network interfaces, processes, etc, that are used inside the container. But from the container, you can only see what’s in the container (barring any privilege escalation configured in the run command).

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.