Quartz 4

Container Fundamentals

3 min read

Containers are a lightweight form of virtualization that package an application and its dependencies into a standardized unit for software development and deployment. Unlike virtual machines, containers virtualize at the operating system level rather than at the hardware level.

Definition

Containers, also known as OS-level virtualization, provide isolated environments for running application processes within a shared operating system kernel. They encapsulate an application with its runtime, system tools, libraries, and settings needed to run, ensuring consistency across different environments.

Key Concepts

Container vs. Virtual Machine

A container differs fundamentally from a virtual machine:

  • Resource Utilization: Containers share the host OS kernel, making them more lightweight
  • Isolation Level: Containers isolate at the process level; VMs isolate at the hardware level
  • Startup Time: Containers start in seconds; VMs typically take minutes
  • Image Size: Container images are typically megabytes; VM images are gigabytes
  • Portability: Containers provide consistent runtime regardless of underlying infrastructure

Container Images

A container image is a lightweight, standalone, executable package that includes everything needed to run an application:

  • Application code
  • Runtime environment
  • System libraries
  • Default settings

Images are built in layers, which are cached and reused across containers to optimize storage and transfer efficiency.

Container Instances

A container instance is a running copy of a container image. Multiple instances can run from the same image simultaneously, each with its own isolated environment.

Evolution of Containerization

Early Isolation Mechanisms

  • chroot (1979): The first UNIX mechanism for isolating a process’s file system view
  • FreeBSD Jails (2000): Extended isolation to include processes, networking, and users
  • Solaris Zones (2004): Similar isolation capabilities for Solaris

Modern Container Technologies

  • LXC (2008): Linux Containers using kernel containment features
  • Docker (2013): Made containers accessible with simplified tooling and images
  • rkt/Rocket (2014): Alternative container runtime with focus on security
  • Podman (2018): Daemonless container engine compatible with Docker

Core Technologies Behind Containers

Containers rely on several Linux kernel features for isolation:

Namespaces

Namespaces isolate a process’s view of the system, limiting what it can see and access:

  • PID Namespace: Process isolation (each container has its process tree)
  • NET Namespace: Network isolation (separate network interfaces)
  • MNT Namespace: Mount point isolation (separate file system view)
  • UTS Namespace: Hostname isolation
  • IPC Namespace: Inter-process communication isolation
  • USER Namespace: User and group ID isolation

Control Groups (cgroups)

Control groups limit and account for resource usage:

  • CPU allocation
  • Memory allocation
  • Block I/O bandwidth
  • Network bandwidth
  • Device access

Union File Systems

Layered file systems that enable efficient image building and sharing:

  • OverlayFS
  • AUFS (Advanced Multi-Layered Unification Filesystem)
  • Device Mapper
  • BTRFS

Container Runtimes and Engines

A container runtime is the software responsible for running containers:

  • Low-level runtimes: Execute containers (e.g., runc, crun)
  • High-level runtimes: Manage images and abstract low-level runtimes (e.g., containerd)
  • Container engines: Provide user interfaces for container management (e.g., Docker, Podman)

Use Cases for Containers

Containers are particularly well-suited for:

  1. Microservices Architecture: Deploying independent, loosely coupled services
  2. DevOps and CI/CD: Consistent environments across development, testing, and production
  3. Application Packaging: Bundling applications with dependencies
  4. Resource Efficiency: Running multiple workloads on the same host
  5. Cloud-Native Applications: Building scalable, resilient applications

Benefits of Containers

  • Portability: Run anywhere the container runtime is available
  • Consistency: Same environment from development to production
  • Efficiency: Less overhead than VMs, better resource utilization
  • Speed: Fast startup and shutdown times
  • Scalability: Easy to scale up or down
  • Isolation: Application-level isolation without full virtualization overhead

Limitations of Containers

  • Kernel Sharing: All containers share the host kernel
  • Security: Generally less isolated than VMs
  • Complex State Management: Stateful applications require additional considerations
  • Cross-Platform Compatibility: Limited across different OS kernels

Graph View

Backlinks