Runtime snapshot of the container's isolation boundary — which user identity it holds, which namespaces it's confined to, and whether resource limits are actively enforced.

User

loading

Userns

loading

cpu.weight

loading

cpu.max

loading

Observable differences before and after Dokuru applies container hardening rules. The application workload remains unchanged; only the isolation boundary shifts.

UID map

0 → 0 (root = root)

0 → 4294967295 (remapped)

PID view

host process list visible

only container processes

PIDs

unlimited — bomb spawns freely

pids.max caps the bomb

Memory

unlimited / host-sized

explicit memory limit set

CPU

default shares (unthrottled)

explicit cpu.weight set