We've explored what containers are and how they use layered images. Now, let's look at the plumbing: how your operating system (OS) isolates these containers and the software that manages their lifecycle—the Container Runtime.
1. The Core Concept: OS-Level Virtualization
Unlike Virtual Machines (VMs), which virtualize the entire hardware stack and require a full guest OS, Docker uses OS-level virtualization. This means the containers run directly on the host OS's kernel.
This is the source of Docker's speed and lightweight nature.
Key OS Technologies Used for Isolation:
Containers achieve isolation using two fundamental features built into the Linux Kernel (and mirrored/virtualized on Windows/macOS):
1. Namespaces: These isolate the container's view of the operating system. Each container gets its own segregated slice of resources, including:
PID Namespace: Containers only see their own processes.
Net Namespace: Containers have their own network interfaces, ports, and routing tables.
Mount Namespace: Containers have their own root filesystem (based on the image layers).
2. Control Groups (cgroups): These limit the amount of resources a container can consume. They act as resource controllers, allowing you to cap a container's access to:
CPU: Limit the percentage of processor time.
Memory: Set hard limits on RAM usage.
Block I/O: Control disk input/output.
In short: Namespaces isolate what a container sees (its view), and cgroups limit what a container uses (its resources).
2. The Engine: Docker Daemon vs. Container Runtime
When you run a command like docker run, several pieces of software work together.
A. The Docker Daemon (dockerd)
The Docker Daemon is the server component that runs in the background. It is responsible for the heavy lifting, including:
- Building images.
- Pulling and pushing images to registries (like Docker Hub).
- Managing storage (volumes) and networking.
- Receiving commands from the CLI (your docker run commands) and passing them to the appropriate runtime.
B. The Container Runtime
The Container Runtime is the low-level component that executes the essential tasks of running and managing a container process. It interacts directly with the Linux kernel's Namespaces and cgroups.
There are two main types of runtimes:
High-Level Runtime (e.g., containerd): This manages the entire container lifecycle: image transfer, mounting the root filesystem, setting up networking, and logging. The Docker Daemon uses containerd to manage its containers.
Low-Level Runtime (e.g., runc): This is the executable that actually creates and runs the container process. It is the final component that interfaces directly with the kernel features (Namespaces and cgroups) to enforce isolation. runc is the reference implementation of the OCI Runtime Specification.
The Chain of Command:
You type:
docker run ...
- The Docker CLI sends the command to the Docker Daemon (dockerd).
- The Docker Daemon prepares the image and passes the request to the High-Level Runtime (containerd).
- containerd extracts the container configuration and hands it off to the Low-Level Runtime (runc).
- runc uses Namespaces and cgroups to create and run the isolated container process on the host OS kernel.
3. OCI: The Open Container Initiative
You'll often hear the term OCI. This is a project that created standardized specifications for the core components of container technology:
Image Specification: Defines what a container image must look like (e.g., structure, layers, manifest).
Runtime Specification: Defines how a container runtime (like runc) must be configured and executed.
The OCI standards ensure that images built by one tool (e.g., Docker) can be run by another compliant tool (e.g., Podman or Kubernetes' Kubelet), promoting portability and preventing vendor lock-in.
What's Next?
Understanding these low-level concepts is crucial. Now we know how containers work and what software makes them run. In next post we will learn about Filesystem used in Docker.
Thank You.
Top comments (0)