Abstract image of a woman sitting on books and studying on a laptop

The building blocks of docker.

C
Chafik Belhaoues

Docker provides a way to package applications into containers that can be run on any infrastructure. It uses namespaces and cgroups to isolate processes and share resources efficiently. The key components are images which are read-only templates for building containers, registries for storing images, and containers which combine an image with writable layers and metadata to run applications anywhere. Docker uses a client-server architecture with containers built from images and managed through commands to the Docker daemon which handles building, running, and distributing containers.

Engineering
1 of 28
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Ready to get shipped? By Chafik Belhaoues @XebiaFr
Introduction [History & newness of the idea]1 Anatomy of the building blocks2 Namespaces3 cgroups5 Storage backends6 Execution environments7
A little bit of history: The marine containers have been created in 1956 par Malcom Mclean in NewYork, just because time is money (-90% of transport costs). BEFORE AFTER
Did the containerization {concept} exist before Docker? OH YEAH…
By Pivotal
The need of containerization: Develop, ship, and run applications {everywhere}. Concept? Product? Life-cycle engine? …you said {DevOps} tool? A single, runnable, distributable executable. What is the difference with the other form of virtualization then? Open source [CS version]. Not OS-related [theoretically]. No hypervisor needed. A different [new] vision of IT. Closer to the most IT needs.
Hardware-centric: A VM packages a full stack (virtual hardware, kernel, a user space). Designed with machine operators in mind, not software developers. VMs offer no facilities for application versioning, monitoring, configuration, logging or service discovery… Application-centric: Packages only the user space; there is no kernel or virtual hardware. Sandboxing method known as containerization = Application virtualization.
Overview: Docker is based on a client-server architecture. The client {user commands} talks to the Docker Daemon. Daemon: runs on a host machine. Client: accepts commands from the user and communicates back and forth with a Docker Daemon using API. 3 components involved: build..ship..run Images: a read-only template, images are the build component of Docker. Registries: hold images, the distribution component of Docker. Containers: holds everything that is needed for an application to run, the run component of Docker
Combination: A container consists of a read-only image based on a given operating system, user-added files, and meta-data.
Anatomy of the building blocks: Apartment complex analogy: 1. Each apartment will require water and electricity and these resources should be distributed fairly {resources}. 2. The apartments are isolated with walls to keep people separate from their respective neighbors {isolation}. 3. Each apartment also has a door, lock, and keys {security}. 4. Finally, most apartment complexes benefit from a manager who works to ensure a consistent and clean steady state of operations {management}. By analogy to system resources required for a container, the kernel should implement 4 elements: - Resource Management. - Process Isolation. - Security. - Tooling (CLI).
Resource management is provided by control groups (cgroups). Process isolation is provided by kernel namespaces. Security is provided by policy manager like: SELinux Overall management by Docker CLI.
Namespace: Wraps a global system resources in an abstraction. Changes are visible only inside the namespace. Kernel namespaces allow the new process to have its own hostname, IP address and a whole network stack, filesystem, PID, IPC stack, and even user mapping. The container to look a VM. Kernal space: Strictly reserved for running a privileged operating system kernel, kernel extensions, and most device drivers, the gate to this land is managed by CAP_SYS_ADMIN capability starting with kernel 2.2 [before it was the superuser, or root, ID 0]. User space [userland]: The memory area where application software and some drivers execute.
These interactions are managed by 3 syscall : clone setns unshare
Playing with Syscalls: clone: Creates a new process, in a manner similar to fork then creates new namespaces for every flag CLONE_NEW*. Unlike fork, the child process is allowed to share parts of its execution context with the calling process (the memory space, the table of file descriptors, the table of signal handlers…). setns: Allows the calling process to join an existing namespace. unshare: Moves the calling process to a new namespace in other words: disassociates parts of its execution context that are currently being shared with other processes (or threads).
Namespace Date Kernel version mount 2002 2.4.19 uts 2006 2.6.19 ipc 2006 2.6.19 pid 2008 2.6.24 net 2009 2.6.29 user 2013 3.8
MNT namespace: Isolate the set of filesystem mount points. Means that processes in different mount namespaces can have different views of the filesystem hierarchy. The container “thinks” that a directory which is actually mounted from the host OS is exclusive to the container. Interacting with this namespace is simply done by mount/umount syscalls. All about Isolation…
PID namespace: Isolate the process ID number space = processes in different "PID namespaces" can have the same PID. The container thinks it has a separate standalone instance of the OS. Technically, the new process created in a new namespace will be the famous PID 1 "init“. Inside the namespace fork/clone syscalls will produce processes with PIDs that are unique. This mechanism allows containers to provide functionality such as: suspending/resuming the set of processes. PID consistency on migration.
NETNS namespace: Logically another copy of the network stack, with its own routes, firewall rules, and network devices. It means each network namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers... It allows a container to have its own IP address, independent of that of the host.
UTS namespace [UNIX Time Sharing]: Historically the term "UTS" derives from the name of the structure passed to the uname() system call: struct utsname. {Initially the time sharing was invited to allow a large number of users to interact concurrently with a single computer by the sharing of a computing resource among many users by means of multiprogramming and multi-tasking at the same time}. This mechanism isolates two system identifiers nodename and domainname. It allows the containers to have its own separate identity {hostname and NIS domain name}.
IPC namespace: IPC (POSIX/SysV IPC) namespace provides isolation/separation of IPC resources: Named shared memory segments. Semaphores. Message queues. Why this need ? Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. It is commonly used by databases and custom-built high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers.
User namespace: The last namespace to be implemented, integrated in the kernel mainstream starting from 3.8 BUT in technical preview in almost all Linux distros. A process's user and group IDs can be different inside and outside a user namespace, that means a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace. Which in term of isolation, makes the user and group ID number spaces totally separated.
cgroups: Traditionally, all processes received similar amount of system resources and all the tuning goes through the process niceness value. A mechanism to organize processes hierarchically and distribute system resources — such as CPU time, system memory, network bandwidth, or combinations of these resources — along the hierarchy in a controlled and configurable manner. Every process belongs to one and only one cgroup. Initially, only the root cgroup exists to which all processes belong. All processes are put in the cgroup that the parent process belongs to at the time. Two parts of cgroups: 1. core: primarily responsible for hierarchically organizing processes. 2. controller: responsible for distributing or applying limits to a specific type of system resource.
blkio: sets limits on input/output access to and from block devices. cpu: uses the CPU scheduler to provide cgroup tasks an access to the CPU. cpuacct: creates automatic reports on CPU resources used by tasks in a cgroup. cpuset: assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. devices: allows or denies access to devices for tasks in a cgroup. freezer: suspends or resumes tasks in a cgroup. memory: sets limits on memory used by tasks in a cgroup. net_cls: tags network packets with a class identifier (classid) that allows the traffic controller to identify packets originating from a particular cgroup task. perf_event: enables monitoring cgroups with the perf tool. hugetlb: allows to use virtual memory pages of large sizes, and to enforce resource limits on these pages.
Union filesystem: A stackable unification file system, which merges the contents of several directories (branches), while keeping their physical content separate. Builds file systems that operate by creating layers, allow files and directories of separate file systems {branches}, to be transparently overlaid, forming a single coherent file system. It allows any combination of read-only and read-write branches, as well as insertion and deletion of branches anywhere in the tree.
AUFS [Another Union File System]: Since V2 it stands for "advanced multi layered unification filesystem“. It was the first storage driver in use with Docker, developed in 2006 as a complete rewrite of the earlier UnionFS. According to Docker: AUFS is not included in the mainline (upstream) Linux kernel. It was rejected because of the dense, unreadable, and uncommented code.
OverlayFS: Merged in the Linux kernel in 2014, kernel version 3.18. The natural successor to aufs. Combines two filesystems - an 'upper' filesystem and a 'lower' filesystem. When a name exists in both filesystems, the object in the 'upper' filesystem is visible while the object in the 'lower' filesystem is either hidden or, in the case of directories, merged with the 'upper' object.
DeviceMapper [storage backend ]: Initially developed by Redhat as an alternative to AUFS. Based on snapshots. Uses allocate-on-demand.
Container format: Docker wraps all the previous components into an execution environment or driver called {container format}. Traditional container drivers: OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot. The new execution drivers: moving from libcontainer to runc & containerd.

More Related Content

PPTX
Docker
Ramchandra Koty
 
PPTX
Docker
Mindstorm Studios
 
PPTX
Understanding the container landscape and it associated projects
Anthony Chow
 
PPTX
Introduction to linux containers
Google
 
PDF
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
PDF
Kernel linux lab manual feb (1)
johny shaik
 
PPTX
Docker: Aspects of Container Isolation
allingeek
 
PDF
Docker Dojo
Hugo González Labrador
 
Docker
Ramchandra Koty
 
Docker
Mindstorm Studios
 
Understanding the container landscape and it associated projects
Anthony Chow
 
Introduction to linux containers
Google
 
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Kernel linux lab manual feb (1)
johny shaik
 
Docker: Aspects of Container Isolation
allingeek
 
Docker Dojo
Hugo González Labrador
 

What's hot (20)

PDF
Docker internals
Rohit Jnagal
 
PPTX
Containerization (docker)
RadhikaKachhawa
 
PPTX
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
PPTX
Survey of open source cloud architectures
abhinav vedanbhatla
 
PPTX
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
PDF
paper
Ankit Mishra
 
PDF
LXC NSAttach
Darshan Parmar
 
PDF
Linux containers-namespaces(Dec 2014)
Ralf Dannert
 
PDF
Linux cgroups and namespaces
Locaweb
 
PDF
Hack the whale
Marco Ferrigno
 
PDF
Microservices, Containers and Docker
Ioannis Papapanagiotou
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
PDF
Unikernels Introduction
Pradipta Banerjee
 
PDF
Lxc- Introduction
Luís Eduardo
 
PPTX
Realizing Linux Containers (LXC)
Boden Russell
 
PDF
Docker storage drivers by Jérôme Petazzoni
Docker, Inc.
 
PPTX
Union FileSystem - A Building Blocks Of a Container
Knoldus Inc.
 
PDF
Docker 1.8: What's new
Ronak Kogta
 
PPTX
K ubuntu
Mayuresh Wadekar
 
Docker internals
Rohit Jnagal
 
Containerization (docker)
RadhikaKachhawa
 
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
Survey of open source cloud architectures
abhinav vedanbhatla
 
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
paper
Ankit Mishra
 
LXC NSAttach
Darshan Parmar
 
Linux containers-namespaces(Dec 2014)
Ralf Dannert
 
Linux cgroups and namespaces
Locaweb
 
Hack the whale
Marco Ferrigno
 
Microservices, Containers and Docker
Ioannis Papapanagiotou
 
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Unikernels Introduction
Pradipta Banerjee
 
Lxc- Introduction
Luís Eduardo
 
Realizing Linux Containers (LXC)
Boden Russell
 
Docker storage drivers by Jérôme Petazzoni
Docker, Inc.
 
Union FileSystem - A Building Blocks Of a Container
Knoldus Inc.
 
Docker 1.8: What's new
Ronak Kogta
 
K ubuntu
Mayuresh Wadekar
 
Ad

Viewers also liked (7)

PDF
Tendencias del marketing pucp 2012
Roberto Alvarez
 
PDF
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 
PDF
A Gentle Introduction To Docker And All Things Containers
Jérôme Petazzoni
 
PPTX
Why Docker
dotCloud
 
PPTX
Docker introduction
dotCloud
 
PDF
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
Arnaud MAZIN
 
PDF
Docker 101: Introduction to Docker
Docker, Inc.
 
Tendencias del marketing pucp 2012
Roberto Alvarez
 
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 
A Gentle Introduction To Docker And All Things Containers
Jérôme Petazzoni
 
Why Docker
dotCloud
 
Docker introduction
dotCloud
 
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
Arnaud MAZIN
 
Docker 101: Introduction to Docker
Docker, Inc.
 
Ad

Similar to The building blocks of docker. (20)

PPTX
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.
 
PDF
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
PDF
GDG Cloud Iasi - Docker For The Busy Developer.pdf
athlonica
 
PDF
Docker containers : introduction
rinnocente
 
PDF
dotCloud (now Docker) Paas under the_hood
Susan Wu
 
PDF
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
PDF
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
PDF
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
PPTX
Introduction to containers
Nitish Jadia
 
PPTX
Introduction to OS LEVEL Virtualization & Containers
Vaibhav Sharma
 
PPTX
Linux container internals
Ashwin Bilgi
 
PDF
LXC Containers and AUFs
Docker, Inc.
 
PDF
Scale11x lxc talk
dotCloud
 
PDF
ACM_Intro_Containers_Cloud.pdf Cloud.pdf
Trevor Roberts Jr.
 
PDF
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex
 
PDF
Lightweight Virtualization: LXC containers & AUFS
Jérôme Petazzoni
 
PDF
Creare Docker da zero con GoLang - Giulio De Donato
Codemotion
 
PDF
Docker Container: isolation and security
宇 傅
 
PDF
Advanced Namespaces and cgroups
Kernel TLV
 
PPTX
Containerization & Docker - Under the Hood
Imesha Sudasingha
 
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
GDG Cloud Iasi - Docker For The Busy Developer.pdf
athlonica
 
Docker containers : introduction
rinnocente
 
dotCloud (now Docker) Paas under the_hood
Susan Wu
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
Introduction to containers
Nitish Jadia
 
Introduction to OS LEVEL Virtualization & Containers
Vaibhav Sharma
 
Linux container internals
Ashwin Bilgi
 
LXC Containers and AUFs
Docker, Inc.
 
Scale11x lxc talk
dotCloud
 
ACM_Intro_Containers_Cloud.pdf Cloud.pdf
Trevor Roberts Jr.
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex
 
Lightweight Virtualization: LXC containers & AUFS
Jérôme Petazzoni
 
Creare Docker da zero con GoLang - Giulio De Donato
Codemotion
 
Docker Container: isolation and security
宇 傅
 
Advanced Namespaces and cgroups
Kernel TLV
 
Containerization & Docker - Under the Hood
Imesha Sudasingha
 

Recently uploaded (20)

PPTX
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 
PDF
Abrasive, erosive and cavitation wear.pdf
nfandraden
 
PDF
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
PDF
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
PPTX
CyberSecurity Mobile and Wireless Devices
RobinRohit2
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PPTX
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PPTX
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
PDF
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
PPTX
communication and presentation skills 01
CdtAfrazAttaullah
 
PDF
Improvement effect of pyrolyzed agro-food biochar on the properties of.pdf
LasFernandaJuchem
 
PPTX
Amdahl’s law is explained in the above power point presentations
sangeetha952248
 
PDF
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PPTX
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
PPTX
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
PPTX
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
PDF
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
PDF
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 
Abrasive, erosive and cavitation wear.pdf
nfandraden
 
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
CyberSecurity Mobile and Wireless Devices
RobinRohit2
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
communication and presentation skills 01
CdtAfrazAttaullah
 
Improvement effect of pyrolyzed agro-food biochar on the properties of.pdf
LasFernandaJuchem
 
Amdahl’s law is explained in the above power point presentations
sangeetha952248
 
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 

The building blocks of docker.

  • 1. Ready to get shipped? By Chafik Belhaoues @XebiaFr
  • 2. Introduction [History & newness of the idea]1 Anatomy of the building blocks2 Namespaces3 cgroups5 Storage backends6 Execution environments7
  • 3. A little bit of history: The marine containers have been created in 1956 par Malcom Mclean in NewYork, just because time is money (-90% of transport costs). BEFORE AFTER
  • 4. Did the containerization {concept} exist before Docker? OH YEAH…
  • 6. The need of containerization: Develop, ship, and run applications {everywhere}. Concept? Product? Life-cycle engine? …you said {DevOps} tool? A single, runnable, distributable executable. What is the difference with the other form of virtualization then? Open source [CS version]. Not OS-related [theoretically]. No hypervisor needed. A different [new] vision of IT. Closer to the most IT needs.
  • 7. Hardware-centric: A VM packages a full stack (virtual hardware, kernel, a user space). Designed with machine operators in mind, not software developers. VMs offer no facilities for application versioning, monitoring, configuration, logging or service discovery… Application-centric: Packages only the user space; there is no kernel or virtual hardware. Sandboxing method known as containerization = Application virtualization.
  • 8. Overview: Docker is based on a client-server architecture. The client {user commands} talks to the Docker Daemon. Daemon: runs on a host machine. Client: accepts commands from the user and communicates back and forth with a Docker Daemon using API. 3 components involved: build..ship..run Images: a read-only template, images are the build component of Docker. Registries: hold images, the distribution component of Docker. Containers: holds everything that is needed for an application to run, the run component of Docker
  • 9. Combination: A container consists of a read-only image based on a given operating system, user-added files, and meta-data.
  • 10. Anatomy of the building blocks: Apartment complex analogy: 1. Each apartment will require water and electricity and these resources should be distributed fairly {resources}. 2. The apartments are isolated with walls to keep people separate from their respective neighbors {isolation}. 3. Each apartment also has a door, lock, and keys {security}. 4. Finally, most apartment complexes benefit from a manager who works to ensure a consistent and clean steady state of operations {management}. By analogy to system resources required for a container, the kernel should implement 4 elements: - Resource Management. - Process Isolation. - Security. - Tooling (CLI).
  • 11. Resource management is provided by control groups (cgroups). Process isolation is provided by kernel namespaces. Security is provided by policy manager like: SELinux Overall management by Docker CLI.
  • 12. Namespace: Wraps a global system resources in an abstraction. Changes are visible only inside the namespace. Kernel namespaces allow the new process to have its own hostname, IP address and a whole network stack, filesystem, PID, IPC stack, and even user mapping. The container to look a VM. Kernal space: Strictly reserved for running a privileged operating system kernel, kernel extensions, and most device drivers, the gate to this land is managed by CAP_SYS_ADMIN capability starting with kernel 2.2 [before it was the superuser, or root, ID 0]. User space [userland]: The memory area where application software and some drivers execute.
  • 13. These interactions are managed by 3 syscall : clone setns unshare
  • 14. Playing with Syscalls: clone: Creates a new process, in a manner similar to fork then creates new namespaces for every flag CLONE_NEW*. Unlike fork, the child process is allowed to share parts of its execution context with the calling process (the memory space, the table of file descriptors, the table of signal handlers…). setns: Allows the calling process to join an existing namespace. unshare: Moves the calling process to a new namespace in other words: disassociates parts of its execution context that are currently being shared with other processes (or threads).
  • 15. Namespace Date Kernel version mount 2002 2.4.19 uts 2006 2.6.19 ipc 2006 2.6.19 pid 2008 2.6.24 net 2009 2.6.29 user 2013 3.8
  • 16. MNT namespace: Isolate the set of filesystem mount points. Means that processes in different mount namespaces can have different views of the filesystem hierarchy. The container “thinks” that a directory which is actually mounted from the host OS is exclusive to the container. Interacting with this namespace is simply done by mount/umount syscalls. All about Isolation…
  • 17. PID namespace: Isolate the process ID number space = processes in different "PID namespaces" can have the same PID. The container thinks it has a separate standalone instance of the OS. Technically, the new process created in a new namespace will be the famous PID 1 "init“. Inside the namespace fork/clone syscalls will produce processes with PIDs that are unique. This mechanism allows containers to provide functionality such as: suspending/resuming the set of processes. PID consistency on migration.
  • 18. NETNS namespace: Logically another copy of the network stack, with its own routes, firewall rules, and network devices. It means each network namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers... It allows a container to have its own IP address, independent of that of the host.
  • 19. UTS namespace [UNIX Time Sharing]: Historically the term "UTS" derives from the name of the structure passed to the uname() system call: struct utsname. {Initially the time sharing was invited to allow a large number of users to interact concurrently with a single computer by the sharing of a computing resource among many users by means of multiprogramming and multi-tasking at the same time}. This mechanism isolates two system identifiers nodename and domainname. It allows the containers to have its own separate identity {hostname and NIS domain name}.
  • 20. IPC namespace: IPC (POSIX/SysV IPC) namespace provides isolation/separation of IPC resources: Named shared memory segments. Semaphores. Message queues. Why this need ? Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. It is commonly used by databases and custom-built high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers.
  • 21. User namespace: The last namespace to be implemented, integrated in the kernel mainstream starting from 3.8 BUT in technical preview in almost all Linux distros. A process's user and group IDs can be different inside and outside a user namespace, that means a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace. Which in term of isolation, makes the user and group ID number spaces totally separated.
  • 22. cgroups: Traditionally, all processes received similar amount of system resources and all the tuning goes through the process niceness value. A mechanism to organize processes hierarchically and distribute system resources — such as CPU time, system memory, network bandwidth, or combinations of these resources — along the hierarchy in a controlled and configurable manner. Every process belongs to one and only one cgroup. Initially, only the root cgroup exists to which all processes belong. All processes are put in the cgroup that the parent process belongs to at the time. Two parts of cgroups: 1. core: primarily responsible for hierarchically organizing processes. 2. controller: responsible for distributing or applying limits to a specific type of system resource.
  • 23. blkio: sets limits on input/output access to and from block devices. cpu: uses the CPU scheduler to provide cgroup tasks an access to the CPU. cpuacct: creates automatic reports on CPU resources used by tasks in a cgroup. cpuset: assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. devices: allows or denies access to devices for tasks in a cgroup. freezer: suspends or resumes tasks in a cgroup. memory: sets limits on memory used by tasks in a cgroup. net_cls: tags network packets with a class identifier (classid) that allows the traffic controller to identify packets originating from a particular cgroup task. perf_event: enables monitoring cgroups with the perf tool. hugetlb: allows to use virtual memory pages of large sizes, and to enforce resource limits on these pages.
  • 24. Union filesystem: A stackable unification file system, which merges the contents of several directories (branches), while keeping their physical content separate. Builds file systems that operate by creating layers, allow files and directories of separate file systems {branches}, to be transparently overlaid, forming a single coherent file system. It allows any combination of read-only and read-write branches, as well as insertion and deletion of branches anywhere in the tree.
  • 25. AUFS [Another Union File System]: Since V2 it stands for "advanced multi layered unification filesystem“. It was the first storage driver in use with Docker, developed in 2006 as a complete rewrite of the earlier UnionFS. According to Docker: AUFS is not included in the mainline (upstream) Linux kernel. It was rejected because of the dense, unreadable, and uncommented code.
  • 26. OverlayFS: Merged in the Linux kernel in 2014, kernel version 3.18. The natural successor to aufs. Combines two filesystems - an 'upper' filesystem and a 'lower' filesystem. When a name exists in both filesystems, the object in the 'upper' filesystem is visible while the object in the 'lower' filesystem is either hidden or, in the case of directories, merged with the 'upper' object.
  • 27. DeviceMapper [storage backend ]: Initially developed by Redhat as an alternative to AUFS. Based on snapshots. Uses allocate-on-demand.
  • 28. Container format: Docker wraps all the previous components into an execution environment or driver called {container format}. Traditional container drivers: OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot. The new execution drivers: moving from libcontainer to runc & containerd.