How Docker Containers Work??
In this blog, I’m going to give you a behind the scenes look at what a container is and how it is created on your machine.
Now to understand the container you first need to have a bit of background on exactly how your operating system runs on your computer.
So going to first give you a quick overview of your operating system.
So this is a quick overview of the operating system on your computer. Most operating systems have something called a kernel.
The kernel is a running software process that governs access between all the programs that are running on your computer and all the physical hardware that is connected to your computer as well. So if you’re at the top of this diagram, we have different programs that your computer’s running such as chrome or terminal NodeJS.
If you’ve ever made use of NodeJS before and you’ve written a file to the hard drive it’s technically not NodeJS that is speaking directly to the physical device. Instead, NodeJS says to your Kernel, hey, I want to write a file to the hard drive.
The Kernel then takes that information and eventually persists it to the hard disk. So the Kernel is always kind of this intermediate layer that governs access between these programs in your actual hard.
The other important thing to understand here is that these running programs interact with the kernel through things called system calls.
These are essentially like function invocations.
The Kernel exposes different endpoints to say hey if you want to write a file to the hard drive call this endpoint or this function right here it takes some amount of information and then that information will be eventually written to the hard disk or memory or whatever else is required.
Just imagine, that two programs running on our computer.
Ex: Chrome, in order to work properly, has to have Python version 2 installed and NodeJS has to have version 3 installed.
However, on our hard disk, we only have access to Python version 2, and we are not allowed to have two identical installations of Python at the same time.
So now Chrome would work properly because it has access to version 2 but NodeJS would not because we do not have a version or a copy of Python version 3.
So how can we solve this issue????
Well, one way to do it would be used to make use of an operating system feature known as namespacing, with namespacing we can look at all the different hardware resources connected to our computer and we can essentially segment out portions of those resources so we could create a segment of our hard disk specifically dedicated to housing Python version 2.
And we could make a second segment specifically dedicated to housing Python version 3.
The Process will be,
- Any time that either them issues a system call to read information off the hard drive
- Kernel will look at that incoming system call and try to figure out which process it is coming from.
- So the Kernel could say okay if Chrome is trying to read some information off the hard drive I’m going to direct that call over to the segment that has Python version 2 and NodeJS that makes the system call the read the hard drive the kernel can redirect the segment for Python version 3.
And so by making use of this kind of namespacing we’re segmenting feature. We can have the ability to make sure that Chrome and NodeJS are able to work on the same machine.
Now again, in reality, neither of these actually needed the installation of Python. This is just a quick example.
So this entire process of kind of segmenting a hard or resource based on the
process that is asking for it is known as namespacing with namespacing we are allowed to isolate resources per a process or a group of processes and we essentially saying that any time a particular process asks for a resource we’re
Namespacing is not only used for hardware it can be also used for software elements as well.
So, for example, we can namespace a process to restrict the area of a hard drive that is available or the network devices that are available or the ability to talk to in other processes or the ability to see other processes.
These are all things that we can use named spacing to essentially limit the resources we’re kind of redirect requests for resource from a particular process very closely related to this idea of some namespacing is another feature called control group.
A control group can be used to limit the number of resources that a particular process can use.
So namespacing is for saying hey this area of the hard drive is for this process a control group can be used to limit the amount of memory that a process can use the amount of CPU the amount of hard drive input or the input-output and the amount of network bandwidth as well.
So these two features put together it can be used to really kind of isolate a single process and limit the number of resources it can talk to and the amount of bandwidth essentially that it can make use.
So the area around the dashed lines in the image above can be referred to as a container.
We’ve got some running process that sends a system call to a Kernel.
Kernel is going to look at that incoming system call and direct it to a very specific portion of the hard drive the RAM CPU or whatever else it might need.
And of a portion of each of these resources is made available to that singular process.
What is the real relation between one of those containers that are kind of singular process and grouping of resources to an image?
How is that single file eventually create this container?
An image we’re really talking about a file system snapshot (FS).
So this is essentially a kind of like a copy-paste of a very specific set of directories or files.
And so we might have an image that contains just chrome and Python an image will also contain a specific startup command.
So here’s what happens behind the scenes when we take an image and turn it into a container.
Initially, Kernel is going to isolate a little section of the hard drive and make it available to just this container.
And so we can kind of imagine that after that little subset is created, the file snapshot inside the image is taken and placed into that little segment of the hard drive.
And so now inside of this very specific grouping of resources we’ve got a little section of the hard drive that has just chrome and Python installed and essentially nothing else.
The startup command is then executed which we can kind of imagine this case is like startup chrome just run Chrome for me. And so Chrome is invoked.
We create a new instance of that process and that created process is then isolated to this set of resources inside the container.
So that’s pretty much it.
That is the relationship between a container and an image and it’s how an image is eventually taken and turn into a running container.
Thanks for reading….…... 😊
