How does a container work?

Before we understand how does a container work, we will take a detour of some operating system concepts.

First of all, how does a program run on any computer? If we take a look at the below diagram we have three parts in any computer.

1.       Some hardware(CPU, memory, Hard Disk and Networks etc)

2.       An Operating System(Kernel + Libraries + System Utilities)

3.       Applications

An operating system is basically a Kernel + Some system utilities which brings life to a computer. The kernel is the part that acts as a translator between any hardware on the computer to the applications running on the operating system.

Now let us consider a scenario where we want to have Chrome and Firefox installed on an operating system. We will take Ubuntu as our operating system. Let us hypothetically assume that Chrome requires OpenSSL 2.0 whereas Firefox requires OpenSSL 3.0

But we can have only one version of the OpenSSL installed on Ubuntu. What if we could install OpenSSL on different partitions/segments of the disk and had some intelligence built-in Kernel so that whenever we got a system call for OpenSSL we could route the request to the correct segment of the disk.

This thought provoked the Kernel developers and we had a feature called Namespaces. Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources.

This feature was there for a long time but not used to much extent until Docker came and popularized a container runtime using this feature of Linux.

Along with Namespaces, we saw one more enhancement to the Linux kernel in 2016 which is Control Groups. This will limit the amount of resources consumed by/allocated to a process.

Hope this clarified the concept of how Namespaces and CGROUPS came into existence. Now let us understand how does a container work. Basically in all of the container implementations(docker, lxc, rckt etc), they share the Kernel of the underlying operating system. A container will pack everything that is required to run a program i.e. its binaries, libraries, configurations, and separate the underlying hardware resources using Namespaces and cgroups so that any requests for particular hardware are contained within its boundaries.

In the below example, we have shown only the Hard Disk as a resource, but this can be applied to Network, Memory, CPU, and even GPUs nowadays.


One last comment before we close, as you can see from above examples the container runtimes are sharing the Kernel of the operating system. That means we can run Linux containers on only Linux based operating systems(since all of the different distros are essentially based on the same Linux Kernel) and Windows containers on Windows operating systems only.

In the next part, we will see how containers actually run in Docker. Until then stay safe!


Popular Posts