Container Technology Explained: How Docker and OCI Containers Work

This article was originally published on bmf-tech.com.

Overview

A summary of container technology. Experimenting with creating and interacting with containers without using Docker.

What is a Container

• A set of processes that are isolated from the host OS, bundling applications and runtime together.

History of Containers

1979: chroot introduced in UNIX OS.

2000: FreeBSD jails appeared in FreeBSD 4.0, an evolution of chroot.

2001: Technology forming the basis of Linux containers appeared in Linux through the VServer Project.

2004: LXC 1.0 released. Linux Containers

2008: Docker emerged.

Besides the above, container technologies like Virtuozzo, OpenVZ, HP-UX Container, and Solaris Container also exist.

Differences Between Containers and Virtualization

• Containers

  • A set of processes isolated from the host OS, bundling applications and runtime together.
  • Shares the kernel part of the host OS
  • The OS library part can be chosen by the container

• Virtualization

  • Configuration differs between host-based and hypervisor-based, but virtualization allows multiple OS setups, running applications on guest OS.

A rough summary is also available at bmf-tech - What is Docker.

Linux Kernel Features for Realizing Container Technology

Kernel namespaces

• A feature that separates processes into six types of resources (ipc, uts, mount, pid, network, user)
• A mechanism that makes it appear as if users have their own isolated resources.
• Isolated resources cannot interfere with each other.

Apparmor and SELinux profiles

• Apparmor
  • A type of Linux Security Modules (a framework for security in the Linux kernel).
  • Securely manages application access permissions (mandatory access control)
• SELinux (Security Enhanced Linux)
  • A module that adds mandatory access control features to the Linux kernel

Seccomp policies

• A feature that restricts the issuance of system calls by processes

Chroots (using pivot_root)

• An operation that changes the root directory for the current process and its child processes
• Processes with changed roots cannot access files outside the range => Realization of process isolation

Kernel capabilities

• Permission management for processes
• Allows more granular permission management than just root or not root

CGroups (control groups)

• A feature to group processes for common management

Docker's Container Technology

Previously, Docker used lxc, but from v0.9, it seems to use libcontainer implemented in Go. (cf. Docker blog - DOCKER 0.9: INTRODUCING EXECUTION DRIVERS AND LIBCONTAINER github - opencontainers/runc/libcontainer/)

Standard Specifications

OCI (Open Container Initiative)

The Open Container Initiative is an organization aimed at creating industry standards for containers and runtimes.

It defines the following specifications:

• OCI Runtime Specification
• OCI Image Format Specification
• OCI Distribution Specification

OCI is involved in the specifications of low-level runtimes.
Examples: runC, gVisor, Kata Containers, Nabla Containers, etc.

CRI (Container Runtime Interface)

CRI defines the interface for communication between kubelet and container runtime.

CRI is involved in the specifications of high-level runtimes.
Examples: docker, containerd, cri-o

Summary

• Containers are processes with isolated resources
• Containers share the kernel part of the host OS, and the library part can be freely chosen
• Related specifications for containers include OCI and CRI

Gave a Lightning Talk

Gave a lightning talk at Makuake LT Party (an internal LT event).

speaker-deck - Fully Understanding Containers

References

• bmf-tech - What is Docker
• [History of Containers] Until Docker was Created Part 2 ~Let's Gather Collective Knowledge and Learn History~
• redhat - What is a Linux Container
• redhat - What is a Linux Container
• Linux Container
• IT Solution School - [Diagram] Understand Container-based Virtualization and Docker with One Sheet
• SELinux Project Wiki
• opensuse - AppArmor
• kernel.org - SECure COMPuting with filters
• man7.org - Linux Capabilities
• gihyo.jp - Learning Containers with LXC - Technology for Realizing Lightweight Virtualization Environments
• Yuuki Blog - The Era of DIY Linux Containers
• Think IT - Basic Knowledge of Container Technology
• Linux Containers - What is LXD?
• Hewlett Packard Enterprise - What is the Difference Between Docker Containers and Virtualization? Synergy and DevOps
• www.publickey1.jp - Mechanism of Container Runtime and Why Firecracker, gVisor, and Unikernel are Attracting Attention. Container Runtime Meetup #2
• thinkit.co.jp - Prepare for the Deprecation of Docker Runtime Starting from Kubernetes 1.20! What We Should Know and Do
• container-security.dev - Container Security Books
• github.com - opencontainers/runtime-spec
• udzura.hatenablog.jp - Reading the OCI Runtime Specification
• medium.com - Overview of the Container Runtime "runc" Used by Every Container User [Container Runtime Meetup #1 Presentation Report]
• The End of Docker's Dominance: Key Container Trends
• gkuga.hatenablog.com - I Read the OCI Runtime Specification and Wrote an Overview
• yohgami.hateblo.jp - Using chroot and unshare, Create a Simple Container with 7 Commands on Shell
• Introduction to Container Technology - Learn the Differences with Virtualization and Explore the Elemental Technologies
• Creating a Container Without Using Docker Commands - Part 1
• kaminashi-developer.hatenablog.jp - [Go Language] DIY Container Swamp. Let's Create a Mini Docker from Scratch
• www.youtube.com - Building a Container from Scratch in Go - Liz Rice (Microscaling Systems)
• medium.com - Understand the Design of Container Runtime