Open in app

Sign in

Write

Sign in

Container != Docker

Demystifying Containers and Their Ecosystem

Dagang Wei
3 min readJun 7, 2024

This blog post is part of the series Linux Beyond the Basics.

Introduction

While Docker revolutionized how we package and deploy applications, it’s crucial to understand that Docker is just one of the many tools in the containerization landscape. Containers themselves are a distinct concept, rooted in fundamental Linux kernel features and specific filesystem technologies.

Linux Kernel: The Foundation of Containers

At its core, a container is a self-contained unit of software that includes everything it needs to run: code, runtime, system tools, libraries, and settings. It’s essentially a way to isolate processes on a shared operating system, giving each container the illusion of its own dedicated resources.

The magic behind container isolation and efficient resource management is enabled by several key Linux kernel technologies:

Namespaces

Namespaces provide process isolation by creating separate instances of global system resources (like process IDs, network interfaces, mount points) for each container. This ensures that processes in one container are unaware of processes in another, enhancing security and stability.

Control Groups (cgroups)

Cgroups limit and account for the resource usage (CPU, memory, disk I/O) of a collection of processes. This allows you to set resource quotas for each container, preventing one container from consuming excessive resources and impacting the performance of others.

Layered Filesystems

Containers leverage specialized filesystem technologies to efficiently manage storage. The most common approach is layered filesystems, where each container image consists of multiple read-only layers, with a final writable layer on top. This layered architecture offers several benefits:

  • Image Efficiency: Since layers are shared between images, only the differences need to be stored, significantly reducing overall disk usage.
  • Faster Startup: When starting a container, only the unique writable layer needs to be loaded, leading to much quicker boot times compared to traditional virtual machines.
  • Versioning: Each layer represents a specific state of the filesystem, enabling easy rollbacks to previous versions if needed.

Some popular container filesystem technologies include:

  • OverlayFS: A union filesystem that merges multiple directories into a single view, commonly used with Docker.
  • AUFS: Another union filesystem, historically used by Docker, but less common nowadays.
  • Devicemapper: A Linux kernel framework for mapping physical block devices to virtual block devices, often used in enterprise container environments.

OCI: A Common Language for Containers

To ensure interoperability between different container runtimes and tools, the Open Container Initiative (OCI) was formed. The OCI defines a standard specification for container formats and runtimes. This means that, in theory, a container image built for one OCI-compliant runtime should run seamlessly on any other OCI-compliant runtime.

runc: The Reference Implementation

runc is the reference implementation of the OCI runtime specification. It's a lightweight, portable tool that can be used to create and run containers according to the OCI standard. While most users won't interact directly with runc, it plays a critical role in many container ecosystems.

containerd: A High-Level Container Runtime

containerd is a daemon that manages the complete container lifecycle on a single host. It pulls container images from registries, stores them on disk, executes containers (using runc or other OCI-compliant runtimes), and handles container supervision.

Think of containerd as a building block that provides essential container management features. Other tools, like Docker or Kubernetes, can leverage containerd to handle the underlying container runtime operations.

Docker: A User-Friendly Container Platform

Docker is a popular, comprehensive platform for developing, building, shipping, and running containerized applications. It provides a rich set of features for image management, networking, and orchestration. However, it’s important to remember that Docker isn’t the only game in town.

Podman: A Daemonless Alternative to Docker

Podman is a daemonless container engine designed to be a drop-in replacement for Docker. Unlike Docker, which relies on a central daemon process, Podman directly interacts with the image registry, container storage, and the Linux kernel. This daemonless architecture offers potential security and performance advantages.

Podman shares the same command-line interface (CLI) as Docker, making it easy for users to transition. It also supports running containers in “rootless” mode, which can further enhance security by preventing containers from running with elevated privileges.

Conclusion

Understanding the intricate relationship between containers, the Linux kernel, filesystem technologies, and the wider container ecosystem is key to leveraging the full power of containerization. By exploring the underlying technologies and alternative tools available, you can build more robust, efficient, and flexible containerized applications tailored to your specific needs.

Containers

--

--

Dagang Wei
Dagang Wei

Written by Dagang Wei

584 Followers
650 Following

https://www.linkedin.com/in/dagang-wei-595a68247/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams