Scribd
Upload
164 views8 pages

Container Can Be Defined As Isolation With Some Resource Limits

Docker uses namespaces and cgroups to create isolated containers with resource limits on Linux systems. Namespaces provide isolation for processes, networking, filesystems, and users/groups. Cgroups impose limits on disk I/O, RAM, and CPU usage. The Docker engine makes it easy to leverage these Linux kernel features to build and run containerized applications.

Uploaded by

srinivasth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
164 views8 pages

Container Can Be Defined As Isolation With Some Resource Limits

Docker uses namespaces and cgroups to create isolated containers with resource limits on Linux systems. Namespaces provide isolation for processes, networking, filesystems, and users/groups. Cgroups impose limits on disk I/O, RAM, and CPU usage. The Docker engine makes it easy to leverage these Linux kernel features to build and run containerized applications.

Uploaded by

srinivasth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Docker Internals

Lets Start From Container

 Container can be defined as isolation with some resource limits

 So, host system can create multiple different


containers 

How are Isolations Created & Resource Limits Applied ?


 Isolations on the linux machines are created using a linux kernel feature called
Namespaces. for more info Click Here
 Resource Limits are applied using kernel feature called as cgroups (Control
groups). For more info Click Here

 Working on namespaces & cgroups are difficult, but here comes the docker to the
rescue.
 Docker Engine makes it easy to create isolated areas & resource limits

Namespaces

 Namespaces is a linux feature.


 There is an interesting article on namespaces over here.

you can skip code & look at images

 To be very specific,
 pID namespace (Process Namespace) creates the isolated process tree
inside
container 

note this is link to image from this article

 net namespace (Network Namespace) creates the isolated networking for


each container with its own network interface.
note this is link to image from this article

 mount namespace creation allows each container to have a different view


of entire systems mount point, this allows containers to have their own file
system view which starts from
root 

note this is link to image from this [article]

 user namespace allows to create whole new set of user & groups for the
containers
 Fortunately even in windows world we have namespaces now. The purpose of the
namespace is same but underlying implementation differs. Refer this article

cgroups (control groups)

 cgroups is a linux kernel feature


 Control groups is used to impose limits. We can impose limits of disk io, RAM &
cpu’s using ControlGroups
 Fortunately even in windows world we have control groups now. The purpose of
the namespace is same but underlying implementation differs. Refer this article
Containers also have Layers for Filesystems

This will be discussed in another article very soon.

Docker Underlying Components

The underlying components of docker as per the latest implementation is looking as

shown 
The Specific Linux Implementation will be shown

below 
The Specific Windows Implementation will be as shown

below 

You might also like