After you read this post, you might/should have a basic understanding of how containers work.
Containers are one of the hottest and key topics in Cloud Computing. Especially Docker hit the container revolution off in 2013 and since then container technologies rising up continuously. For many people, containers are equal to Docker and Docker does some magical things. It’s not exactly how it works.
So in this post, I’d like to look closely at Docker and how does docker work and see what's going on behind the scene.
In the picture above you see Atlas in Greek mythology. I took the picture above because is summarizing this post.
The container is consists of two main features of the Linux kernel, which can be listed:
- cgroups → stand for control group : since 2006
which allow processes to be organized into hierarchical
groups whose usage of various types of resources can then be limited
To simplify: It tells which process how much resources can use. It’s limiting the usage of resources.
2. namespace → since 2002 in Linux kernel
A namespace wraps a global system resource in an abstraction that
makes it appear to the processes within the namespace that they have
their own isolated instance of the global resource. One use of
namespaces is to implement containers.
To simplify: Isolation container from the rest of the system and by using namespace you can decide what to share or not share(unshare) between host and the other container. There are different type of namespaces
As you guessed, each namespace listed above it’s for its prefix for example network_namespaces handling networking for containers to isolate the network from the host machine and other containers.
unshare is another feature of Linux:
unshare() allows a process (or thread) to disassociate parts of its
execution context that are currently being shared with other
processes (or threads).
To simplify: It’s isolating and disassociating a process from its environment.
For each container, cgroup allocating an amount of resources, and via namespace, the process(container) will be isolated from the environment. Now we are close to creating a container. The question might arise: So how does work the file system? For file system one of the oldest Linux chroot feature(1978).
chroot() changes the root directory of the calling process to that
specified in path. This directory will be used for pathnames
beginning with /. The root directory is inherited by all children of
the calling process.
To simplify: changes the apparent root directory for the current running process and its children
Now we are close to Docker. If we bring all tools that we explained above, together, we will create a container. This is what actually Docker does.
As a user, you are interacting with the docker command line (client), for example you are running ubuntu container via
$ docker run --rm -it ubuntu:18.04
Following steps will be triggered respectively:
- Docker client will hit Docker daemon(dockerd)
- Docker daemon will hit containerd what actually docker daemon does automatically as soon as daemon started.
- containerd will hit the runc, which is a command-line tool used for actually spawning the container.
So to see the big picture, Docker is a huge layer of abstraction and does many magical things, but now we know what magical things are happening behind the scene.
Docker uses a technology called
namespacesto provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
Now you know how does Docker work and who has the cross to bear :)