What is a container?
With all the talks and conferences going on these days about containers, this is my small effort to explain what containers are.
When I heard about containers for the first time, I was actually very confused. There were different questions coming to my mind like, “So, is container a process?” and “I have heard about Docker and LXC, so is a container just a Docker?”
What I realised with time is that the word “container” doesn’t mean anything specific. Basically, in a very simplified way, we add a few new Linux features (namespaces and cgroups) that let us isolate processes from each other. When you use those features, you call it ‘containers’.
These features let you pretend that you have something like a virtual machine. Except that it’s not a virtual machine at all. It’s just a process running in the same Linux kernel.
Let’s assume, we need to have something like a virtual machine. One feature we might want is – my processes should be separated from the other processes on the computer. This is where namespace comes.
In Linux, processes form a single hierarchy with all processes rooting init. And usually privileged processes in this tree can trace or kill other processes. Linux namespace enables us to have many hierarchies of processes with their own “subtrees” such that processes in one subtree can’t access or even know about those in the other one.
Different kinds of Namespaces
- In a pid, namespace can become PID 1
- In a ‘networking namespace’, you can run programs on any port you want without it conflicting with what’s already running
- In a mount namespace, you can mount and unmount filesystems without it affecting the host filesystem
Now that we have separated the new process with namespace, there rises another question. What if we want to limit how much memory or CPU one of my programs is using?
So this is where cgroups comes.
In short, control groups (c-groups) are a Linux kernel feature which limit, isolate and measure resource usage of a group of processes. Resource quotas for memory, CPU, network, and IO can be set. These were made to be a part of Linux kernel in Linux 2.6.24. Although Linux is excellent at handling and sharing available resources between processes, there are times when we want to make sure that certain amount of resources are limited to a group of processes. Therefore, we do this with cgroups.
That’s all Docker is! Docker Containers have a lot of features these days but a lot of its features are built on these basic Linux kernel features.
Also published on Medium.