Open in app

Sign in

Write

Sign in

Docker containers simply explained

Yasser Sinjab
2 min readOct 27, 2018

--

A: What is a container?
B: It is like a VM. But it shares the OS kernel with other containers.
A: Since they or on the same OS, are they isolated?
B: I guess yes.
A: What are the mechanisms used to make them isolated?
B: Hmmm…. (No answer)

The answer for this question is container technology in a nutshell. Many developers start using containers without knowing how it internally works. And when you ask them: all what they know is analogy with VMs. In this story I will briefly explain how exactly containers can isolate processes if they’re running on the same operating system by using two mechanisms: Linux namespaces and Control groups.

Linux namespaces:

Namespaces take a single global resource and make it appear as a single owned resource to the container. Let’s take Users namespace as an example: On one of my AWS virtual machines, I listed all system users (my username is the last one ‘ysinjab’). Each container will have an isolated set of users and groups.

Likewise, mount namespaces is used primarily to make the container as if it has its own filesystem. If you noticed in the previous gist, when we entered the container: the filesystem was rooted on “/”. But this is not the system actual root, it is the mount name spaces which made this possible for container to have its own root.

Here is a list of other namespaces used:

  • UTS
  • PID (process)
  • IPC (inter process communication)
  • Network

Linux control groups (cgroups):

cgroups is Linux kernel feature that is used to set limits on resources for processes and its children. That simply means every container (a process) is assigned to its own cgroups. The children here are those processes that are running inside that container.
What are the resources cgroups limit? Many including:

  • CPU
  • RAM
  • Disk I/O
  • Network bandwidth

If you run docker stats on one of your running containers you will see the reports that cgroups generate on resources:

Hope that will help you understand how containers is built using Kernel features, and forget about the VM story when you need to explain this extraordinary technology to anyone :)

Docker
Containers
Linux
Cloud Computing

--

--

Yasser Sinjab

Written by Yasser Sinjab

20 Followers

Software Engineer. Data nerd. Machine learning enthusiast.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams