Nowadays, docker is a buzzword in the industry and docker has taken a major role in the application development workflow. There are many articles but this is not about what is docker? This article is more about behind the screen!! Why this is because last month I was working on AWS, for this purpose I have created one image (RHEL Linux distro). I have faced some issue so when I discuss with my colleague, He said your Image is not tunned. This is where I started exploring what is underneath for docker and come up with this conclusion.
Docker is more optimized and specifically tunned Linux kernel image.
This image will give you a more clear picture than words. Why docker. Docker is more popular because of quick startup time. Docker is starting instantly and it will save time and efforts. How docker startup instantly? Let us understand this is below
Let us first understand the virtualization method.
Virtualization is categorized based on how it mimics the hardware to guest OS(operating system).
Emulation:- If you are familiar with the emulator such as an android emulator or iOS emulator over your OS. Emulation is full virtualization runs the virtual machine OS kernel entirely in software. In below diagram hypervisor is the full virtualization. This is installed entirely on top of the host OS. The responsibility of this layer to convert for translating guest kernel code to host os instructions. This hypervisor is aka Type-2 hypervisor. The cons of this type are additional system resource overhead that leads to a decrease in performance compared to others. e.g QEMU, VirtualBox, VMware.
Hardware-Assisted Virtualization:- This is aks Intel Virtualization Technology. The idea is to trap execution calls and send them to the virtualization system as the goal is to have most calls run natively and only trap/VMM a small subset of calls.
Paravirtualization:- This is aka Type-1 hypervisor this runs directly on hardware or bare metal and provides the virtualization. The Xen hypervisor is like an operating system of operating systems. It helps the OS, the virtualized hardware, and the real hardware to collaborate to achieve optimal performance. These hypervisors typically have a rather small footprint and do not themselves, require extensive resources. e.g KVM.
FreeBSD Jails:- Ideally free BSD jails are very similar to the lxc container. This is called as other operating system level virtualization. FreeBSD Jails were first introduced in 2000, long way before LXC containers (introduced in 2008) or Docker (introduced in 2013) was released. FreeBSD jails are very similar to docker but its only be used on freeBSD. This is the disadvantage over docker.
Container-based virtualization:- This is aka operating system level virtualization. These runtimes are the platform-dependent parts of the containerization technology as opposed to the platform independent parts that deal with handling the images, etc. The OS level virtualization enables multiple isolated process executions within a single operating system kernel.
e.g LXC, libcontainer.
Container and docker is not a new technology this is the one distro of Linux kernel with limited resource
Let us see some Linux tech stack used in docker.
ulimit a command that lets you set a per-process limit on things like the number of open files.
chroot change the root filesystem. This is a very ancient feature inherited from BSD. This is like jailed inside the directory as its root file system unknown to the entire world.
cggroups process group resource limit. In 2008 Google engineers contributed an important feature to the Linux kernel. A process could be constrained to use their allocated resources. Linux distributions expose cgroups in their filesystem under /sys/fs/cgroup
namespaces This is really the most important contributor to container technology. The namespace will allow you to launch a different network stack for a certain process on.
Union file systemUnionfs is a filesystem service for Linux, FreeBSD & NetBSD which implements a union mount for other file systems. It allows files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system.
seccompProtecting the system calls Process level. This is the one-way docker providing security. This is how a process allowed to make which system call.
AppArmor and SELinuxMandatory access control system. This is protecting system calls at a system level.
Container runtimeThe two main container runtime is runc and rkt. runs used by docker.
When you are putting everything together within one bucket then the docker container will get the form.
This is what I know and I hope this will be helpful to you.