Ananta Durga Prasad

What is Docker and how it's just a group of linux technologies working together.

Dhurga Prasad Ananta's photo
Dhurga Prasad Ananta
What is Docker and how it's just a group of linux technologies working together.

Understanding the Internal Working of Docker

Docker has revolutionised the way we build, ship, and run applications. As a container runtime, it encapsulates applications and its dependencies into lightweight, portable containers.

But what exactly is a container runtime, and how does Docker achieve the magic of isolation, reproducibility, and efficiency? At its core, Docker is a masterful orchestration of several Linux features working harmoniously. Let’s dive into the internal workings of Docker and demystify its inner mechanics.

What is Docker?

Docker is a platform that simplifies the process of creating and managing containers. Containers are isolated environments that package an application and all its dependencies, ensuring that the application behaves the same regardless of where it runs. This isolation is what makes containers so powerful, enabling developers to build once and run anywhere.

However, Docker is not a standalone technology. It leverages existing Linux kernel features to provide the functionality that containers need.

Core Linux Features Behind Docker

Docker's functionality is built upon a few key Linux technologies:

  1. Namespaces: Isolation of Resources Namespaces provide the fundamental isolation that Docker containers rely on. They isolate various aspects of the operating system so that each container has its own independent view of system resources. Key namespaces used by Docker include:

    • PID Namespace: Isolates process IDs so that processes inside a container see only their own processes.

    • Network Namespace: Provides each container with its own network stack, including interfaces, IP addresses, and routing tables.

    • Mount Namespace: Enables containers to have their own filesystem views, separate from the host system.

    • UTS Namespace: Allows containers to have their own hostname and domain name.

    • IPC Namespace: Isolates interprocess communication mechanisms like shared memory.

  2. Control Groups (cgroups): Resource Management Control groups are used to allocate, prioritize, and limit resources such as CPU, memory, disk I/O, and network bandwidth for containers. This ensures that containers do not consume more resources than they are allocated, maintaining stability and performance on the host system.

  3. Union File Systems: Layered Filesystems Docker uses union filesystems (e.g., OverlayFS) to implement its layered architecture. Each Docker image consists of multiple layers, which are stacked on top of each other. This approach allows for:

    • Efficiency: Common layers can be shared across containers, reducing storage usage.

    • Speed: Changes are stored as new layers, enabling rapid builds and rollbacks.

  4. Linux Capabilities: Fine-Grained Privileges Instead of running containers with full root privileges, Docker uses Linux capabilities to grant only the specific privileges that a container needs. This enhances security by minimizing the attack surface.

  5. Seccomp: Security Enhancements

    • Seccomp: Limits the system calls that a container can make, preventing potentially harmful operations.

How Docker Brings It All Together

When you run a container using Docker, the following sequence of events typically occurs:

  1. Image Pull: Docker retrieves the container image from a registry (like Docker Hub) and stores it locally. Images are composed of layers, and only missing layers are downloaded.

  2. Container Creation: Docker creates a container based on the image. This involves setting up namespaces, cgroups, and filesystem layers.

  3. Filesystem Setup: A container-specific writable layer is added on top of the image’s read-only layers.

  4. Process Execution: Docker uses the Linux runC utility to execute the specified process inside the container. This process is isolated from the host and other containers by the namespaces.

  5. Networking Configuration: Docker sets up networking for the container, typically by creating a virtual Ethernet interface and assigning an IP address.

  6. Resource Management: Cgroups ensure that the container stays within its allocated resource limits.

What is Bocker? :

Infact, there’s a runtime that is completely built with bash!! . It’s called Bocker .

Bocker is a Bash script that replicates the core functionalities of Docker in a lightweight and minimalistic manner. It was created to demonstrate how container runtimes like Docker leverage Linux features to provide isolation, resource management, and reproducibility.

The primary goal of Bocker is education. By reducing the complexities of Docker to a simple Bash script, Bocker allows developers and system administrators to:

  • Understand the foundational Linux features that make containers possible.

  • Experiment with containerization concepts in a controlled environment.

Conclusion

Docker is not a standalone technology but rather a seamless orchestration of powerful Linux features. By leveraging namespaces, cgroups, union filesystems, and more, Docker creates an environment where applications can run in isolated, reproducible, and efficient containers. This article has been a lot of theoretically one . From next article I will explain more about these linux technologies with demo projects. Stay tuned!!

Useful Resources :

https://youtu.be/0kJPa-1FuoI?list=PLwhumfEVPtGyZjZxFCp3e4C6LKLUrddwv

https://ericchiang.github.io/post/containers-from-scratch/

LinuxDevopsDocker#namespaces