Container: Isolated area of an OS wioth resource usage limits applied. To build containers we use low level kernel controls: namespaces and control groups.
We use the CLI docker container run which makes a call to the appropiate Docker API containers/create
We use two main building blocks when creating containers: Namespaces and Control Groups, both of them are Linux kernel primitives.
- Namespaces are about isolation.
- Control groups are about grouping objects and setting limits
This let us take an operating system and cut it into multiple isolated virtual operating systems. Each container feels like a regular OS.
- Process ID (pid): Gives each container its own isolated process tree
- Network (net): Gives each container its own isolated network stack
- Filesystem/mount (mnt): Gives each container its own root filesystem
- Inter-proc comms (ipc): Let's processes in the same container access the same shared memory but stops everything outside de container (isolation)
- UTS (uts): Gives every container its own hostaname
- User (user): It let's you map accounts inside the container to different users in the host.
Grouping processes and imposing resource limits