Containers 101

What are Containers

6 min readFeb 6, 2017

A container is a unit of isolation. It is a sandbox or environment where we can run some code. There could be some side effects of running code which could be changes to the file system or changes to the registry. These changes could be localized only to the container and need not affect the host.

Containers is another type of Virtualization where they provide a perception of fully isolated and independent Operating System (OS) to the application.

Compared to a Virtual Machine(VM) where the application is running on top of Guest OS, in the Container environment the application is running on top of the Host OS. Hence your application has instant startup in a Container compared to running on top of Virtual Machine where the Guest OS needs to be booted before your application can run. In a VM there is complete isolation and each guest OS have their own copy of the files, libraries and application code. Since each VM has to pay the cost of the OS boot and in-memory footprint for its private copies, it limits the number of application instances (VMs) that can be run on the host.

However since the Container shares the same OS including the kernel and libraries, they don’t to pay the penalty for starting the guest OS, private memory cost for running the guest OS. The containerized application starts in seconds and more instances of the application can fit onto the machine than in the VM case.

Evolution of Containers

Containers evolved out of Linux world. Some examples are: chroot, BSD Jails, Solaris Zones, Softricity for App virtualization (App-V) etc.

The unit of isolation in a Windows or Linux operating system is a process. But the isolation provided by the process is not sufficient. The changes to the file system / registry made by one process would be reflected to another process.

In Windows, there is a concept of Job Objects. A job object allows groups of processes to be managed as a unit. Job objects are namable, securable, sharable objects that control attributes of the processes associated with them. Operations performed on a job object affect all processes associated with the job object. Examples include enforcing limits such as working set size and process priority or terminating all processes associated with a job.

Similarly there is a concept of CGroups in Linux. cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

From the above evolved the concept of Containers as an isolation environment. The containers provide isolated CPU, memory, I/O and network resources that share the same resources from host operating system. In the Linux OS there is concept of Namespaces which wraps a set of system resources and present them to look like they are dedicated to that process. The Linux containers known as LXC is an operating system level Virtualization for running multiple isolated Linux systems on a single host. Namespaces and CGroups makes the Linux Containers possible.

Containers abstracts away the OS and hence it is possible to move the containers from one system to another.

What is Docker

Docker evolved from LXC. Docker started as a single application LXC containers and made it portable and flexible to use. Using Docker containers, you can deploy, replicate, move, and back up even more quickly and easily than you can do so using virtual machines. Docker started as a specialized LXC and later morphed into its own container runtime environment.

Docker abstracts networking, storage, registry and OS details from the application. With Docker, the application is independent from the configurations of these low-level resources. When you move a Docker container from one Docker host to another Docker-enabled machine, Docker guarantees that the environment for the application will remain the same.

Docker created the common toolset, packaging model and deployment mechanism for the containerization and distribution of applications that can then run anywhere on any Linux host. This not only simplifies management by offering the same management commands against any host, it also creates a unique opportunity for seamless DevOps. A Docker image can be created that will deploy identically across any environment in seconds. This has created a massive and growing ecosystem of applications packaged in Docker containers, with DockerHub, the public containerized-application registry that Docker maintains, currently publishing more than 180,000 applications in the public community repository.

Windows Containers

There is support for containers in the Windows Operating System. Very similar to the LXC style containers on Windows. The Windows Containers support run existing windows applications, including server applications with near native performance. The Windows Containers support the namespace virtualization so that applications do not interfere with other applications in different container.

Figure 1, shows what Windows Server Containers would look like with the Docker Engine atop an on-premises server. However, those containers could also run in an Azure IaaS cloud.

Windows supports two kind of containers — Windows Server containers and Hyper-V containers. Windows Server containers share the same OS and kernel. Hyper-V containers are more isolated than Windows Server containers and run on a hypervisor. They are not sharing the guest OS or the kernel.

How containers work ?

The container provides isolation, for example the local disk looks like its own copy of the OS files, the memory with only its own files and data of a new OS. To accomplish this, the “host” machine that creates a container does some clever things using Namespace isolation. Namespaces include all the resources that an application can interact with, including files, network, registry and the list of running processes. Namespace isolation enables the host to give each container a virtualized namespace that includes only the resources that it should see. For efficiency, many of the OS files, directories and running services are shared between containers and projected into each container’s namespace. Only when an application makes changes to its containers, for example by modifying an existing file or creating a new one, does the container get distinct copies from the underlying host OS — but only of those portions changed, using Docker’s “copy-on-write” optimization.

Container Orchestration

When you deploy and manage many containers that makes an application, it is important that there is a good way to deploy, manage the same. This is where the need for container orchestration comes into picture. Container orchestrator is responsible for deployment of the containers into the servers. There are many kinds of orchestrators available and is a big topic by itself.

Some examples are: Docker Compose enables the creation of multi container applications. Docker Swarm helps in managing the docker containers across different hosts.

There are other orchestration solutions that support container management like — Mesos, Kubernetes, Desis.

Conclusion

Containers decouple the applications from the underlying OS. Containers provide a new level of efficiency, deployment flexibility to developers. Few points to remember while moving to the Containerized world of applications.

Containers helps in development with a simplified deployment model. During the development process, developers can quickly iterate and test. Since the environment and resource usage are consistent across systems, a containerized application that works on a developer’s system will work the same way on a different production system.

Containers are good for applications where the host OS trusts the applications that would be hosted on it and the applications trust each other. They (Host OS and the applications) all are in the same trust boundary. However if the applications are from different trust boundary (say user supplied code) and to ensure isolation it is better to run them in a separate container.

Containers provide weaker level of isolation compared to hypervisor.

Microservices is another area where the Containerized environment would help in terms of deployment, management, patching and orchestration.