docker isn't magic: it isn't a virtual machine either
Docker is the most popular engine for running Linux containers which are an increasingly popular way to deploy applications. Many people use containers but fewer people know what a container actually does. I hope you enjoy this short talk I gave to the Linux and Unix Users Group at Virginia Tech where I overview what actually happens when you type docker run.
A few key points from the talk:
- Docker is NOT a hypervisor
- Rather, Docker allows you to isolate a process at multiple levels through namespaces
- mnt: filesystem
- pid: process
- network: isolated network stack
- user: allows non-root on host to be mapped to root in container
- uts: dedicated hostname
- ipc: dedicated memory
- Rather, Docker allows you to isolate a process at multiple levels through namespaces
- After
cgroupswere added to the Linux kernel in 2007, several projects emerged that took advantage of them by creating containerization processesLXC— “Linux Containers”LMCTFY— Google’s internal container stack pre-Dockersystemd-nspawn— “chroot on steroids,” packaged with systemdrkt— Dameonless OCI-compliant runtime from CoreOS
- Docker was originally started to build tooling around Linux Containers that were more developer friendly but before long, dropped LXC to establish the "Open Container Initiative" (OCI)
- The basic idea is that any OCI-complaint runtime can run any OCI-compliant image, so there is full compatibility
- In the talk all of the behavior I demo "manually" in
bashcan be mirrored to adockercommand- When I used
wgetto obtain the tarball of my filesystem before the talk that is similar to pulling an image usingdocker pull- Pro tip: look at all local container images with
docker image ls
- Pro tip: look at all local container images with
- When I run my "container" with
chrootthat is similar to usingdocker run <image name> - When I attach to the already running container using
nsenterthat is similar to usingdocker exec
- When I used
The following sources were extremly helpful in preparing this talk:
- Docker is NOT a Hypervisor by Michael Irwin
- Containers from Scratch by Eric Chiang
- A Comprehensive Container Runtime Comparison by Evan Baker