Explain to me like I'm 9: what exactly ARE Docker containers?
July 10, 2024
I recently came across what could be the best explanation of containers and wanted to share it.
Source: "Learning Docker" series on LinkedIn Learning by Carlos Nunez.
- A container is composed of two things: a Linux namespace and a Linux control group.
- Namespaces are a Linux kernel feature that provides the ability to expose different "views" of your system to applications running within it.
- This way, you can have an application think it's running as the, say, root superuser with access to an entire file system and all sorts of hardware when it's actually running as user 12345 with access to a single folder.
- Modern linux kernel provide access to 8 namespaces:
- USERNS - The ability to view and create users.
- MOUNT - Access to file systems
- NET - Network communication abilities
- IPC - Interprocess communication
- TIME - The ability to change time. (note: this is currently not supported by Docker)
- PID - Process ID Management
- CGROUP - The ability to create and list control groups
- UTC - The ability to create host and domain names
- Control groups build on this by providing the ability to restrict how much hardware each process can use.
- Docker uses control groups for a few things:
- It uses control groups to monitor and restrict CPU usage.
- It uses control groups to monitor and restrict network and disk bandwidth.
- It uses control groups to monitor and restrict memory consumption.
- This architecture and design means that Docker has a few limitations:
- It natively only runs on Linux.
- Containers can run on anything but their images are tied to the kernel they were created from.
- So for example, containers created from container images configured for Linux kernels can only run on Linux.
- Conversely, containers created from container images configured for Windows can only run on Windows.
- Fortunately there are some established workarounds for this.
Like this article?
0
Posted in: containersdocker