Till now, I was with the idea that container technology (ex: docker) provides the required isolation and OS-Level virtualisation. And the applications running in the container are restricted by - namespaces, cgroups, apparmour/selinux, capabilities and they have no way to figure out the host environment they are in. But seems this understanding is not 100% correct.
As on wiki -OS-level virtualization
OS-level virtualization is an operating system paradigm in which the kernel allows the existence of multiple isolated user space instances. Such instances, called containers (LXC, Solaris containers, Docker), Zones (Solaris containers), virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels (DragonFly BSD), or jails (FreeBSD jail or chroot jail),1 may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources (connected devices, files and folders, network shares, CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.
From above quote, It seems it only adds isolation and abstraction and nothing like virtualiztion.
As Java team had to add container support to JVM so it does not look in to the host env directly but instead limits ITSELF to the isolations/abstraction provided by docker.
References:
- Java (prior to JDK8 update 131) applications running in docker container CPU / Memory issues? with excellent answer explaining JVM support for linux containers.
Linux container support first appeared in JDK 10 and then ported to 8u191,
Does this mean that a C program running in container environment has a way to bypass the restriction and access/read the host env details. Ofcourse, when it tries (i.e uses this information) to do any thing beyond what the container is allowed to do, the container engine might kill the process of the container itself.
So, If I am developing an C/C++ application which requests/queries for host resources like CPU/MEM/Devices etc, is it my responsibility that the application runs as expected in container environments by adding container support.