5. Introduction to Containers
❖ Environment Standardization
❖ Isolation
❖ Light weight
❖ Portable
❖ Application Centric
Bare-metal Virtualization Containers
OS + Apps VM
Container
Hypervisor Container Host
VM VM
Container Container
Container Container Container
Infrastructure
Host Operating System
Container Runtime
Container Container Container
Bins/Libs
App B
Bins/Libs
App C
Bins/Libs
App A
Infrastructure
Hypervisor
VM VM VM
Bins/Libs
App B
Bins/Libs
App C
Bins/Libs
App A
Guest OS Guest OS Guest OS
Host Operating System
6. Container Internals
Infrastructure
Host Operating System
Container Runtime
Container Container Container
Bins/Libs
App B
Bins/Libs
App C
Bins/Libs
App A
Infrastructure
Hypervisor
VM VM VM
Bins/Libs
App B
Bins/Libs
App C
Bins/Libs
App A
Guest OS Guest OS Guest OS
Host Operating System
User Space
Hardware
Kernel Space
Process Management
File System Types
Block Devices
Scheduler,
Architecture specific
code
Memory Management
Network
Protocols &
drivers
File Systems Device Drivers
System Softwares Middlewares Applications
System Call (Linux Kernel Gateway)
Tools
CPU RAM Hard disk, CD
Terminal
equipment
Network
adapter
Network
Memory Manager
Character
devices
Containers are not like VM. They are just a normal process on the host machine.
7. Container Internals
Cgroups - Does resource metering and usage
limiting of resources like -
▪ CPU
▪ Memory
▪ Block I/O
▪ Network
Namespaces - Provides processes with their own
view of the system
Union file system - A file system that operate by
creating layers, making them very lightweight
and fast.
Container format - Combines namespaces,
control groups, and UnionFS into a wrapper .
The default container format is libcontainer.
Namespaces
pid net mnt uts ipc
Networking
veth bridge iptables
Cgroups
cpu cpuset memory blkio
Security
Capability SElinux seccomp
FileSystem
Device mapper btrfs aufs
device
user
8. Container Internals – Cgroups
Control groups(cgroups) is a Linux kernel feature which limits, isolates and measures resource usage of a group
of processes. Resources quotas for memory, CPU, network and IO can be set. Introduced in Linux kernel in Linux
2.6.24.
❖ blkio - Sets limits on I/O access to and from
block devices such as physical drives
❖ cpu - Sets limits on the available CPU time.
❖ cpuset - Assigns individual CPUs (on a multicore
system) and memory nodes to tasks in a
CGroup.
❖ Devices - Allows or denies access to devices
❖ freezer - Suspends or resumes tasks
❖ memory — Sets limit on memory use by tasks
9. Container Internals – Namespaces
Enables to have many hierarchies of processes with their own “subtrees” such that processes in one subtree
cant access or even know of those in another.
❖ pid – Isolates process ids
❖ net – Isolates network devices, stacks, ports etc
❖ mnt – Isolates mount points
❖ user – Isolates users and groups
❖ uts — host name and NIS domain name
10. Container Internals – File System
copy-on-write storage
❖ Create a new container instantly instead of
copying its whole file system
❖ Considerable reduce footprint and startup time
Union file system
❖ Operate by creating layers, making them very
lightweight and fast.
❖ Allows files and directories of separate file
systems, known as branches, to be transparently
overlaid, forming a single coherent file system
11. Different Editions and Installation Types
❖ Docker CE (Community Edition)
❖ Docker EE (Enterprise Edition)
❖ Installation Types
❖ Direct
❖ Mac or Windows
❖ Cloud
❖ Releases
❖ Stable - A reliable platform to work with. Stable releases track the Docker platform stable releases.
❖ Edge – Includes latest experimental features and may contain bugs. May be unstable.
12. Docker Platform Basics
Docker Client: A command line interface which talks to the docker daemon REST APIs (Docker CLI)
Docker Host: Runs the docker daemon. Can interact with docker daemon over its REST APIs
Docker Registry: Stores docker images
13. Docker Objects
Images: A read-only template for creating a docker container
Containers: Runnable instance of an image
Services: Scale containers across multiple docker daemons
describes
creates
creates
persist
connects
(networking)Image
Container
Container
Volume
14. Images
❖ Made of file system changes stacked in layers. Build on union file system.
❖ Images are immutable.
❖ Layers are uniquely identified and only stored once in a host.
❖ Container has read/write layer on top of image
An image contains application binaries, dependencies, metadata and information about how to run it. It does not
contains complete operating system – No Kernel, kernel modules like drivers etc. It can be as small as a single file or as
large as complete Ubuntu distribution with package manager, web server, application runtime etc.
16. Docker File
❖ FROM – Base image name
❖ WORKDIR – Working directory
❖ COPY – Copy file/folder
❖ ADD – Adds new file, directory or remote files.
❖ RUN – Run commands or scripts
❖ ENV – Set environment variables. Key value pairs.
❖ CMD – Default command to run
❖ EXPOSE - Listens on the specified network ports at runtime
A text document contains all commands to assemble an image. Start with a `FROM` instruction. The FROM
instruction specifies the Base Image from which you are building.
17. Docker Commands for Managing Images
docker image build Build an image from a Dockerfile
docker image history Show the history of an image
docker image inspect Display detailed information on one or more images
docker image ls List images
docker image prune Remove unused images
docker image pull Pull an image or a repository from a registry
docker image push Push an image or a repository to a registry
docker image rm Remove one or more images
docker image tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
18. Containers
Containers are processes and not mini virtual machines. Limited to what resource it can access. They exits when
process stops.
What happens when you execute – docker container run –p 8080:80 <imageName>
Infrastructure
Host Operating System
Docker Engine
Container Container Container
Bins/Libs
App B
Bins/Libs
App C
Bins/Libs
App A
❖ Looks for image locally in image cache
❖ Looks in remote repository if not cached locally
❖ Downloads and cache the image
❖ Creates a container based on that image
❖ Allocate virtual IP inside docker network
❖ Opens up port in local host and forwards to port in container (if mapped)
❖ Starts container with the default command
20. Docker Commands for Managing Containers
docker container exec Run a command in a running container
docker container inspect Display detailed information on one or more containers
docker container kill Kill one or more running containers
docker container logs Fetch the logs of a container
docker container ls List containers
docker container prune Remove all stopped containers
docker container rm Remove one or more containers
docker container run Run a command in a new container
docker container start Start one or more stopped containers
docker container stats Display a live stream of container(s) resource usage statistics
docker container stop Stop one or more running containers
docker container top Display the running processes of a container
21. Docker Networking
None - Does not have access to outside world. Disables
all networking.
Bridge – The default network driver. If you don’t specify
a driver, this is the type of network you are creating.
Usually used when applications run in standalone
containers that need to communicate.
Host – Adds container on the host network stack.
Host Machine
bridge
Network Interface
net-demo
A
B
B
X Z
Y
172.17.0.2
8081:80
172.17.0.3
8082:80
172.17.0.4
8083:80
172.17.0.10
8085:80
172.17.0.11
8085:80
172.17.0.12
8085:80
DNS
22. Volumes & Persistent Data
Containers are usually immutable and ephemeral. Docker has two options for containers to store files in the host
machine - volumes and bind mounts.
❖ Volumes: Stored in host filesystem which is managed by Docker (/var/lib/docker/volumes/ on Linux). Non-
Docker processes should not modify this part of the filesystem.
❖ Bind mounts: Can be stored anywhere on the host system. Non-Docker processes on the Docker host or a
Docker container can modify them.
23. Docker Compose
Tool for defining and running multi-container Docker applications. Uses
YAML file to configure application’s services. Runs in an isolated
environment.
Steps to use docker compose
❖ Define app’s environment with a Dockerfile.
❖ Define the services that make up app in docker-compose.yml.
❖ Run docker-compose up command to run the entire app.
24. Container Registries
Docker Hub
❖ Most popular public docker image registry
❖ Powered by docker registry along with some image building capabilities
❖ You can hook GitHub/Bitbucket with docker hub. Build image on commit and push to docker hub.
Docker Registry
❖ A private image registry. Contains set of web APIs and a storage system. Written in Go.
❖ Support multiple storage drivers- S3/Azure/GCP/OpenStack Swift etc.
❖ Not feature rich like docker hub.
A storage and content delivery system, holding named Docker images, available in different tagged versions. Users
interact with a registry by using docker push and pull commands
25. Docker Swarm
❖ Native support for docker engine cluster management. No additional software required.
❖ Docker Engine handles any specialization at runtime. Deploy both kinds of nodes - managers and workers.
❖ Declarative approach for defining the desired state of the various services.
❖ Swarm manager automatically adapts by adding or removing tasks to maintain the desired state when you scale
out of scale in.
Distributed State Store
Worker
Node
Manager
Node
Manager
Node
Manager
Node
Worker
Node
Worker
Node
Worker
Node
Worker
Node