WTF is a Container?

2020/07/07

Nowadays (and for quite some while now) everything seems to be somehow related to “containers”. Astonishingly, not a lot of people really know what a container actually is.

And it’s quite hard to find good technical information about this on the internet. Because if you search for it, you’ll find a shitload of crappy medium.com postings from some neighborhood startups, which are all talking about Docker and Kubernetes. But nobody explaining the underlying tech layer that makes all of this possible. Funnily, some of the most valuable information is in some man pages which you most likely have on your Linux machine.

Wrong

Most people seem to think that Docker images are containers, but this is wrong. A Docker image is just a compressed layered file system and some meta data, which can be used to spawn a container with.

Also, Kubernetes pods are not containers. They consist of at least one container, but there can be multiple bundled together in a pod. I’ll try to write something about that in the future.

And containers are not “some kind of virtualization”, it’s process- and resource isolation.

So what does this mean?

What everybody is calling a container, is actually just using a bunch of Linux kernel features to isolate a process (or more) from the rest of the system. Usually it also gets some resources like networking, disks and CPU shares assigned.

The two kernel features that enable this are namespaces and cgroups. Where namespaces define what a process can “see” and cgroups (short for “control groups”) define what a process is allowed to utilize.

There are currently namespaces for:

And cgroups for basically any resource a process would want to use.

I want more information!

Some people were already very nice and wrote a lot of information in man pages. So i will not copy that content onto my site to look smart. Good starting points are man namespaces and man cgroups. In there you’ll find pointers to more detailed information of the specific namespaces and cgroups.

Yes, i did just tell you to RTFM ;-)