Building Blocks of Docker Containers

Building Blocks of Docker Containers

Learn about Cgroups, namespaces, and UnionFS

Sep 26, 20183 min read

Overview

Docker is an open platform which enables you to package, ship and run your applications and infrastructures independent of each other. Docker provides the ability to package and run an application in an isolated environment called a container. Basically, containers are application packaging and delivery technology, which helps applications in a system run in isolation and deploy applications using images.

Docker takes advantage of several features of the Linux kernel as building blocks to deliver its functionality. Docker implements containers using core Linux technologies such as Control Groups (Cgroups) for resource management, Namespaces for process isolation and UnionFS for updating image file system.

Namespaces:

A namespace is a naming system that wraps a particular global system resource in an abstraction. These abstractions make the system resources appear as separated instances. The kernel creates separate namespaces for each container. Consequently, a process in a namespace can use a system resource simultaneously with a process in another namespace without creating a conflict. This is how multiple containers run within a system.

The Docker Engine most commonly uses the following Linux namespaces:

  • pid : The ProcessID namespace allows processes in different containers to have the same PID. For example, PID 1 is the init process which is used by all containers for starting and shutting down. PID namespace allows the process to be run on all containers but only affecting that specific container.
  • net : The Networking namespace provides isolation of system resources associated with networking like network controllers, firewalls, routing tables, etc. This allows different containers to use the same system resources under different namespace.
  • ipc : The InterProcess Communication namespace allow isolation of certain interprocess communication resources such as System V IPC objects and POSIX message queues. IPC namespace lets containers create shared memory segments and semaphores with the same name, but are not able to interact with other containers’ memory segments or shared memory.
  • mnt : The Mount namespace helps isolate the file system mount points so that the process in different mount namespaces can have different views of the file system hierarchy. Each container can have its own /tmp or /var directory or even have an entirely different user namespace.
  • uts : The Unix Timesharing System namespace isolates kernel and version identifiers. This allows each container to have its own hostname and NIS(Network Information System) domain name, which is useful for initialization and configuration scripts based on these names.

Cgroups:

Control groups allow Docker Engine to share available hardware resources between containers and optionally enforce limits and constraints. Cgroups can allocate resources such as CPU time, system memory, network bandwidth, etc. For example, cgroups use process number controller to prevent an explosion in the number of PIDs in your container.

UnionFS:

UnionFS is a filesystem service for Linux which implements a union mount for other file systems. Union mounting is a way of combining multiple files and directories from different file systems into one single coherent file system that contains their combined contents. Docker uses UnionFS to create a writable file system on your disk combined with a base image. Updates in this new file system can be layered on top of the Docker base image and create a new image with your updates.

In s nutshell:

Docker utilizes underlying Linux technology as building blocks to make containers functional. These building blocks help docker manage resources better, isolate multiple processes and mount files for deploying images. Understanding these Linux features will help you understand Docker better and use them more efficiently.

Happy Containerizing!