Shipping with containers !

If deploying software is hard, time-consuming, and requires resources from another team, then developers will often build everything into the existing application in order to avoid suffering the new deployment penalty.

— Karl Matthias

Introduction to docker

What is docker :-
Docker is a container platform, that allows you to separate your application from the underlying infrastructure by bundling up your code and all its dependencies into a self contained entity that will run the same on any supported system.

docker container high level architecture

Having a code run inside of a container means that it’s isolated from other processes and other containers. So, each container can have its own process space, network stack, resource allocation etc.

How docker containers are different from VM ?

VM high level architecture

Docker high level architecture

When we run a VM, the OS that we’re using in the VM is running on virtualized h/w. That means we are running s/w that emulates h/w and then running a full OS on top. One big drawback of using VMs is they con contain thousands of files that our app don’t need hence consume more resources.

Docker actually cuts down the guest OS. Where VMs run the entire OS, docker shares the kernel with the host OS.

Docker Architecture :-

Docker Client-Server Architecture

Docker uses a client-server architecture. The server part is docker daemon which is responsible for handling objects(images, containers and networks). The daemon exposes a REST API that client consumes over UNIX sockets or a network interface. The client is the the docker binary (i.e whenever we use the docker command, that’s the client.)

How Client and Daemon interact together

Docker is actually built on very well established Linux Kernel features, that when combined together, allow processes to run in isolated environments.

Let’s go through the technologies, to understand how they combine into 1 product. :-

1. Namespaces (feature #1 used by docker)

So, namespaces allow for isolated aspects of a system’s resources. There are additional linux namespaces, the ones mentioned below are used by the docker. So, when they are used together , they allow a very high level of process isolation.

• The pid namespaces: Process isolation (PID: Process ID). (i.e, each namespace has its own set of process ids).
• The net namespace: Managing network interfaces (NET: Networking). (i.e, each net namespace has set of its own ip addr, firewall, routing table, etc)
• The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication). (i.e, ipc namespaces allows processes to be isolated from SysV-style interprocess communication)
• The mnt namespace: Managing filesystem mount points (MNT: Mount). (i.e, isolation of file system mount)
• The uts namespace: Isolating kernel and various identifiers. (UTS: Unix Timesharing System). (i.e, allows isolation of hostname)

2. Control Groups (feature #2 used by docker)

Control groups are used to limit resource allocation. Since containers allow processes to run in isolation, we can’t have any single process consuming all of the resources. Cgroups(Control groups) allow for sort of limits to be set on different subsystems, which ensures that procsses aren’t going to be taking more than they should be allowed.

• Resource limiting : groups can be set to not exceed a configured memory limit.
• Prioritisation: some groups may get a larger share of CPU utilisation or disk I/O throughput.
• Accounting: measures a group’s resdurce usage.
• Control: freezing groups of processes

3. UnionFS

This functiality helps to keep down overall size of docker containers as well. Union filesystem helps with a base image and can merge in any changes.
When we create a docker container we have a starting image, which is a set of files that make up the base image for our container. As we start making customizations by adding or removing packages, files, directories, etc, those create different layers, each layer is a set of file changes that the union file system can merge into the previous layer.
Because of this layered design we don’t end up with duplicate files because each layer just needs to know about the changes.

• Merging: overlay filesystem branches to merge changes.
• Read/Write: branches can be read-only or read-write

And we are done with the introduction to docker, now we know why ships carry containers, lol !!!