Linux Containers (LXC) isolate containers from each other using a variety of Linux features:
1. Linux Kernel Namespaces: Each LXC container has its own process, network, mount, and user namespaces. This ensures that processes of one container cannot interfere with those of another.
1. Control Groups (CGroups): Each container can limit resources such as CPU, memory, and I/O usage, thereby preventing containers from exhausting system resources and affecting others.
1. Capabilities: Each container is granted certain capabilities, or permissions, by the system, which limits what it can do. This prevents containers from gaining expanded authority that could affect other containers or the host system.
1. AppArmor and SELinux: These are Linux Security Modules (LSM) that limit the activities of the LXC container by enforcing a security policy at the kernel level.
1. Chroots (change root): This changes the apparent root directory for the current running process and its children, preventing access outside the current environment to the host system.
1. Linux Kernel Security Modules (like Seccomp): It provides the capability to filter the system calls being made by the processes in a container.
Overall, through a combination of these features, LXC creates an environment wherein each container behaves as a separate virtual machine, isolated from other containers and the host system itself.
