In this article we are going to do a technology deep dive and start understanding the foundational Linux kernel features that software like Docker is using to make the containers work and provide those isolated environments that we all use. then towards the end of this section, we’ll also take a look at the docker system architecture.
The building blocks of containers
There are three technologies that make up the core of a container.
- Namespaces
- Control groups
- Union file systems
Namespaces
The technical definition of Namespaces – “A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace but are invisible to other processes.”
Now simpler terms Namespaces are a way, or a mechanism used to wrap any global system resource such that the processes that are running within the namespace thinks that they have their own isolated instance of that resource, and they cannot see things happening outside of their own instance. Its just like the processes do not know what’s happening outside the namespace, they are only worried about what’s confined inside that particular namespace.
For example, there is a namespace called PID, the full form is Process ID namespace. The PID namespace is isolated within a container such that within the PID namespace, the process you will run will appear to be process ID number one even though there may be tons of other processes running on the host. From inside the container, we don’t know anything about those host processes, and we essentially think that we are the only thing running in this system.
C groups or Control groups
The technical definition of Control groups – “a Linux kernel feature which allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored.”
C groups are a Linux kernel feature that allows us to organize our processes into groups which we can then limit and monitor access to certain resources. The reason why C groups are important is that it allows us to avoid something called a “Noisy Neighbor” problem where one application is very resource hungry, and it starves the other applications of resources. By using c groups, we can isolate them from a performance perspective.
Union Mount Filesystems (OverlayFS)
The Technical definition of Union Mount Filesystems – “Union Mount Filesystems (overlayfs) allows files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system. Contents of directories which have the same path within the merged branches will be seen together in a single merged directory, within the new virtual filesystem.”
OverlayFS is an example of Union Mount Filesystems that Docker uses. It allows you to take separate file systems and combine them into a unified view that you can then operate on. Let’s understand this with the help of an example:
So in the image you can see we have a lower file system and an upper file system with various files. We have got file – 1, file -2b and file – 4 in the lower layer. And in the upper layer we have a different file that is file – 3 and then we also have a deleted file file – 4. When we combined these layers into the overlay we ended up with a combination of those two things where the upper layer takes precedence over the lower layer and so we have file – 1, file – 2b and file – 3.
While namespaces and C groups are sort of what make containers possible. This concept of a union map file system is what makes containers practical. Because of this layered approach we are able to share lower layers and cache those layers such that the amount of data that needs to be transferred and stored for container images is much smaller. This is because many images can share a common lower layer and then only some subset of the upper layers can be modified which enables us to move less data when we need to get a container image onto a system and allocate less space if we’re running multiple copies of the same container.
Docker Desktop Architecture
This is a diagram of the Docker desktop application. On the left hand side is the client application which is the thing that we will be interacting with. In the client application there is are number of elements:
The Docker CLI: Whenever you are going to the command line and typing Docker run or Docker pull you are interfacing with that Docker CLI.
The Docker GUI: There is also a graphical user interface which is useful for browsing the images we have on your system. You can also do things like configure how much CPU and memory and disk space the docker application has access to.
Docker credential Helper: Registry is a place where we can store we can push images to and pull images from and in order to have a private registry you need some way to log in. So the docker credential helper is a mechanism to help store the necessary credentials to do the authentication for that.
Extensions: Extensions are a relatively new feature of Docker that are third-party pieces of software that plug into the client and provide additional functionalities to the user.
When you install Docker desktop on your system it also creates a Linux virtual machine. For Mac OS Docker uses a hypervisor and installs a Linux virtual machine and then within that virtual machine it sets up two things – it sets up the server host application and that is known as the docker Daemon or Docker D that exposes the Docker API. When someone executes a command from the command line that command gets passed to the Docker Daemon which is listening via that Docker API and then it executes whatever the command is specifying within that server host application.
Then there is an optional Kubernetes cluster that gets configured and installed within that virtual machine. This can be a nice to have if you are developing for Kubernetes. You can leverage that cluster directly without having to install and configure a separate cluster.
And then finally we have Registry, it is a place to store container images and share those container images with a team or with the world or with wherever you are deploying your containers to. For example, Docker Hub. Docker Daemon when it needs to get an image that it is not building locally, it will go to some registry like Docker Hub and pull that image into the host environment.
Docker Desktop walkthrough
In this section we will go through the Docker Desktop application and understand how to use it to work with containers. Firstly you can download Docker Desktop from the Docker official website. You will automatically get Docker upon installing the Docker Desktop.
When you open the Docker Desktop application, In the top left corner you will see a similar interface:
This is where you can select if you want to work on Images or Containers or any other component. Let’s discuss how we can run containers, stop them and delete the container Images from the Docker Desktop interface:
Running a Container Image:
For running a Container image, select the Images section in the top left corner and you will get a list of Container Images. You can simply run the container image you want to run by clicking on the run button corresponding to it:
You will See that the Nginx container starts running:
If you have the Container image locally, you can also go to the Docker Hub in the Application it finds the container image there.
Stopping a Container
Again, stopping a container is very straight forward in the Docker Desktop UI. Firstly, go to the Containers section where you will see a list of running or stopped Containers. You can simply click on the stop button (the run button will be converted to the stop button once the Container is running).
Once you click the stop button. The Container will be stopped and the status instead of Running will say Exited:
Deleting the Container Image
For deleting the Container Image, you can simply go to the Images section and click on the Delete button.
It will ask you if you wish to Delete the image forever, if yes, the image will be removed from the memory.
Conclusion
We started out with the building blocks of containers which are Namespaces, Control groups and Union file systems. In summary, Namespaces are mechanism used to wrap any global system resource such that the processes that are running within the namespace thinks that they have their own isolated instance of that resource. Control groups are also similar to this but we use control groups for explicitly giving the control of certain resources to the processes.
Union Mount Filesystems for example OverlayFS, allows us to take separate file systems and combine them into a unified view that we can then operate on. And towards the end of the article, we discussed the Architecture of Docker Desktop.
FAQs on Docker Desktop Architecture and Linux Building Block for Containers
1. Is Docker Engine Same as Docker Desktop?
Answer
No, Docker Engine is a technology for building and containerizing applications. While Docker Desktop is an application that uses Docker Engine and also other technologies, and has a lot of other features like GUI, CLI as well.
2. Can Docker Run Without Internet?
Answer
Yes, Docker can run without Internet. But most of the Docker features requires an active internet connection.
3. Is Docker a Container Runtime?
Answer
No, Docker Engine is a container runtime. Docker is a tool to build, share, and run container applications.
4. Can Docker Run on Windows?
Answer
Yes, Docker also runs on Windows.To know how to install docker on windows refer to the How to Install Docker on Windows?.
5. Is Docker a Build Tool?
Answer
Yes, Docker is also a build tool. But it is actually way more than just a build tool.
6. Can Docker Run on Virtual Machine?
Answer
Yes, Docker can be used on a virtual machine.
Share your thoughts in the comments
Please Login to comment...