Understanding container

The release of Docker triggered a major shift in the way in which the software development industry is aspiring to package and deploy modern applications. The creation of many competing, complimentary and supporting container technologies has followed in the wake of Docker. But, what is a container?

You might have thought of one or more of:

  • A way to share resources
  • Process Isolation
  • Kind of like lightweight virtualization
  • Packaging a root filesystem and metadata together
  • Kind of like a chroot jail
  • Something shipping container something
  • Whatever docker does

The container is used for the analogy of containerization, and for the technologies used to implement it. If we consider these separately, we get a clearer picture

Foundation

Linux technologies make up the foundations of the building and running container process on your system. Technologies include:

  1. Namespaces
  2. Control groups (cgroups)
  3. Seccomp
  4. SELinux
Linux technologies that contribute to container

Namespaces

Namespaces provide a layer of isolation for the containers by giving the container a view of what appears to be its own Linux filesystem. This limits what a process can see and therefore restricts the resources available to it. There are – at the time of writing – six namespaces

  • User – isolates users and groups within a container
  • Mnt – allows the containers to have their own view of the system’s file system hierarchy
  • UTS – allows containers to have a unique hostname and domain name
  • IPC – allows different container processes to communicate by accessing a shared range of memory or using a shared message queue
  • PID – ensures that the processes running inside a container are isolated from the external world
  • Net – ensures that the processes running inside a container are isolated from the external world

Control groups (cgroups)

Cgroups are fundamental blocks of making a container. A cgroup allocates and limits resources such as CPU, memory, network I/O that are used by containers

SECCOMP

Seccomp basically stands for secure computing. It is a Linux feature used to restrict the set of system calls that an application is allowed to make. The default seccomp profile for Docker, for example, disables around 44 syscalls (over 300 are available)

SELinux

SELinux lets you limit an application to have access only to its own files and prevent any other processes from accessing them. So, if an application is compromised, it would limit the number of files that it can affect or control

Other than all these four Linux technologies, containers also used Layered Filesystems, which are how we can efficiently move whole machine images around.

Recommended readings –

Leave a Comment