Container isolation gone wrong

The blog post by Gianluca Borello delves into the complexities of container isolation, highlighting how shared kernel resources can cause unexpected interactions between containers. It presents a detailed troubleshooting narrative involving two containers, "worker" and "trasher," where the presence of the latter leads to performance degradation in the former, despite seemingly adequate resource limits. The issue is traced back to the kernel's dentry cache, which stores metadata for file paths, including non-existent ones, leading to a massive accumulation of dentry objects that slow down file operations. The post underscores the importance of monitoring container performance metrics and keeping kernel and distribution versions up to date to avoid such pitfalls. It also notes that newer kernel versions have addressed this specific issue by linking kernel object pool allocations to memory cgroups, preventing excessive dentry object creation.