what is a Docker container?
Docker Container is a software product that bundles up an application and all its dependencies into a single software unit. This software unit performs OS level virtualization, that is, it presents an isolated environment on top of an operating system. This isolated environment shares the kernel of the operating system but provides an environment that is isolated in terms of process, network and file system mount. It packages code and dependencies together and creates an image from it. This image is used to create containers at runtime. These containers are isolated from each other and live in their own environment. Look at this article for more indepth understanding of docker architecture.
Docker Container example
To explain it with an example, think of a simple spring boot based Restful API application. This application consists of a jar file, dependent libraries, java JRE and an application server such as apache tomcat. The application, its dependencies, java and the application server is packaged into a file known as a docker image. This file is stored in a docker repository. To run this image, we need to install docker on a machine. We then download the image and run it on docker. This software unit that is running in docker is known as ‘container’. We can run multiple containers on the same docker platform. All containers share the operating system but do not share the pid, network and file mount.
Docker container dockerfile
A docker image is created by writing a dockerfile that includes a list of commands that add various layers to create the final docker image.
In our spring boot example, we have a layer that contains our application, another layer that contains java and another layer for the application server. Docker combines the layers to form the image. Note that the docker platform stores only a single version of a layer, so if multiple containers use java, they would share the same java layer.
Docker container isolation
Containers accomplish isolation with the help of unix cgroups and namespaces. Linux provides namespaces that allows a process to see only resources that are part of that namespaces. There are 7 different kinds of namespaces, but lets look at a few.
the first namespace is the Process ID or pid. This allows processes to have an independent set of process ids that are not visible to other processes. Containers use this to ensure that one container cannot see the processes of another namespace or even the host.
The second namespace is network. This allows each namespace to have its own IP addresses, routing tables, firewall and other network related resources.
The third namespace is mount and this control filesystem mount points.
The fourth namespace is ipc and this manages inter process communication.
The fifth namespace is uts or unix timesharing system and this isolates the kernel and versions.
In addition to namespaces, containers utilize another characteristic of linux kernel known as cgroups. Cgroups limits the CPU, memory, disk io and other resource usages for a process or collection of processes.
This finishes the article on introduction to Docker containers.