Will this Linux kernel facility limit a Docker container's access to host resources, such as CPU or memory?
Solution.capabilities
Correct Answer: A
Explanation
Capabilities are a Linux kernel feature that allows processes to perform some privileged operations without having the full power of the root user1. Docker uses capabilities to limit the access of containers to host resources, such as CPU or memory2. By default, Docker drops all capabilities except those needed for the container to function properly, using a whitelist approach3. This reduces the risk of a container compromising the host system or other containers. You can also add or remove capabilities to or from a container at runtime, using the --cap-add or --cap-drop options of the docker run command4. This gives you more control over the security and functionality of your containers. References:
* Capabilities | dockerlabs
* Docker run reference | Docker Docs
* Docker Capabilities and no-new-privileges
* Runtime privilege and Linux capabilities | Docker Docs