Docker – is a software package installed on a server and includes all the tools and utilities needed to build and run containers. Docker provides a command-line interface, the CLI, or console that users use to build images, create container registries, load images from container registries and then start and manage containers.
What is Docker?
Docker is known for providing isolation environments for applications as well as crossplatform support. It simply separates the application environment from the host machine and runs the application in an isolated manner. A Docker container can be thought of as an isolated process rather than a virtual machine. The whole idea of Docker is to easily develop applications, ship them into containers which can then be deployed anywhere – Linux, MAC OS, Windows with Docker installed.
Docker and Container Runtimes
Running containers in the Docker environment requires four fundamental components: the Docker engine, the underlying daemon, container runtime and the container itself.
Docker – is a software package installed on a server and includes all the tools and utilities needed to build and run containers. Docker provides a command-line interface, the CLI, or console that users use to build images, create container registries, load images from container registries and then start and manage containers.
Daemon – The Docker engine doesn’t manage containers directly, but instead relies on a separate module or high-level daemon process which is part of the Docker package called dockerd. It listens to Docker API requests and manages docker object such as images, containers, volumes, etc.
Runtime – The container runtime is the low-level component that creates, runs, and destroys containers. Docker currently uses runC, the most popular runtime, which adheres to the OCI (Open Container Initiative) standard (a popular and accepted standard for container images and runtimes). It implements OCI specifications and runs the container processes.
Containers – Finally, the containers are created from existing images; a runtime instance of an image – what the image becomes when executed.
Docker Container Isolation
Docker containers run directly on the host OS. Essentially it doesn’t have a separate kernel to run its containers. It utilizes the same resources as the host OS. However, a container runs with the feeling that it is a separate OS. How does this happen? Docker utilizes some linux kernel technologies to realize container isolation. Each Docker container has its own namespaces, cgroups and filesystems. These three features help us to understand working on Docker containers.
Namespaces: – Each container has its own multiple namespaces, and each namespace has a different type of information about the OS. For example, the MNT namespace has information about mounted filesystems that containers can use; similarly, a USER namespace has information about container users and group IDs.
Control groups: – Control groups are responsible for managing resource usage of containers such as CPU, memory, disk I/O and network. We can also restrict usage limits using Control groups.
Filesystems: – Docker containers use a stackable filesystem that means files and directories in different branches can be overlaid to make a single file system. It helps us to avoid duplicating data each time we deploy the container.
So, to isolate containers and their processes, two Linux kernel features; namespace and control groups (cgroup) are used. It exploits these features to let you use host OS resources more efficiently.
Docker Container and It’s Processes
The parent container process may have a child process, this means a container is also a group of processes. Each container has its isolated userspace and we can run multiple containers on a single Linux Host.
Security
Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. More so, there is great isolation among applications running as a container because each container has its own filesystem, namespace, and groups as explained above. So, if any application is attacked by any intrusion or malware, it will only affect that single container.
