3. A bit of history
● FreeBSD Jails circa 2000
● Solaris Zones circa 2004
● LXC (Google) circa 2008
● Systemd-nspawn circa 2010-2013
● Docker circa 2013
○ built on LXC
○ moved to libcontainer (March 2014)
○ appC (CoreOS) announced (December 2014)
○ Open Containers standard for convergence with Docker Announced (June
2015)
○ moved to runC (OCF compliant) (July 2015)
4. So what is a container, technically ?
● Containers share the host kernel
● Containers use the kernel ability to group processes for
resource control
● Containers ensure isolation through namespaces
● Containers feel like lightweight VMs (lower footprint,
faster)
Components of a container ecosystem include:
● Runtime
● Image distribution
● Tooling
5. But we have Virtual Machine !
● Performance cost ? Not so much
● Less efficient. On the same bare-metal server, many
duplicate instances of the same OS and many redundant
boot volumes
● Slower to start and stop
● Less DevOps friendly
● However more secure and easier to constrain (important
for a public cloud operator)
Good slides comparing Containers vs VMs
7. Two building blocks for containers
Linux namespaces, originally developed by IBM, deal with
resource isolation (Users, PID, Mount, Network...)for a
single process.
Linux cgroups, originally developed by Google, allow
processes to be organized into hierarchical groups whose
usage of various types of resources (CPU, memory..) can then
be limited and monitored.
8. Image & Layers
At start, a container
prepares rootfs & uses
chroot for the container
filesystem isolation
Docker uses Union File
Systems to speed up and
reduce size which provide:
● Layering
● Copy-On-Write
● Caching
● Diffing
14. Networking
Linux Bridge (for creating virtual
switches) together with IPTables
functionality to create isolated
container networks and expose
container ports.
Also easy communication with
internal DNS between container in
the same network
15. Data
Volumes are stored in a part
of the host filesystem which
is managed by Docker
(/var/lib/docker/volumes/ on
Linux).
Bind mounts may be stored
anywhere on the host system.
tmpfs mounts are stored in
the host system’s memory
only.