Table of contents
Before we dive into learning about Docker, it's important to have a basic understanding of containers.
What is Container?
Isolated area of OS with resource usage limit applied.
We use two main building blocks when we're building containers.
- Namespaces
- Control Groups
(Both of these are Linux Kernel Primitives)
Namespaces:
Namespaces let us take an operating system and carve it into multiple isolated virtual operating systems.
- It is a bit like hypervisors and virtual machines.
In hypervisor world, we take a single physical machine with all of its resources. ( e.g. CPU and RAM ) and we carve out one or more virtual machines.
Each one gets a down slice of virtual CPU, virtual memory, virtual networking, the whole shabang. (All of it, the whole lot)
In container world, we use namespaces to take a single operating system with all of its resources which tend to be higher - level constructs like file systems, process trees and users. We carve it all up into multiple virtual operating systems called containers.
Each container get its own virtual or containerized root file system, its own process tree, its own Etho interface, its own root user, the full monty. (everything)
Just the way a virtual machine in a hypervisor world looks, taste and smell like regular physical server. In container world each container looks, feels and smells exactly like a Operating System (only it's not).
All the container present are sharing a single kernel on the host, but they all are so isolated. So that the stuff inside the one container doesn't even know about any other.
LInux Namespaces
- Process ID (pid)
- Network (net)
- Filesystem/mount (mnt)
- Inter-proc comms (ipc)
- UTS (uts)
- User (user)
An organised collection of these namespaces are basically known as Docker Container.
pid: It gives each container its own process tree complete with its own pid 1. (which means that a process in one container is blissfully unaware of any other container)
net: it gives each container its own isolated network stck, so its own NIC's, IP's, routing tables, the lot.
mnt: It gives a container its own isolated root file system. (e.g. slash on Linux)
ipc: It lets the processes in a single container access the same shared memory, but it stops everything from outside of the container.
uts: It gives every container its own hostname.
user: It lets you map accounts inside of a container to different users on the host. (It is relatively new to docker) e.g. mapping the container's root user to a non-privileged user on the host.
Control Groups
But we need something to police the consumption of system resources also. They are called Control groups.
The main idea is to group processes and impose limits. (How much CPU, RAM, disk a container will use)
With these two technologies, namespaces and control groups, we have got a realistic shot of workable container and a union file system or some way of combining bunxh of read-only file systems or block devices, lashing a writable layer on top and presenting them to the system in a unified view.