Containers provide isolation using Linux namespaces and control resource allocation via cgroups. A container is a set of namespaces that isolate processes and provide a restricted view of the filesystem. Docker uses the aufs filesystem to build containers from immutable layers, with the container itself as a writable top layer. Logging within containers should use stdout and stderr, and processes are generally kept separate rather than bundled together within a single container.

1. Containers vs VMs

2. Virtual machines Containers

3. Virtual machines Containers

4. Virtual machines Containers

5. Only on linux?

10. Union
filesystems

11. aufs
• Advanced multi-layered unification filesystem

12. aufs

13. aufs

14. aufs

15. aufs

16. aufs

17. aufs
commit

18. aufs

19. aufs

20. aufs
alpine>
java:7-alpine>
java:openjdk-7-alpine>

22. In summary
• Docker uses aufs.
• A ‘container’ is a temporary read-write layer, on top of other
immutable layers.
• Avoid using latest, pick a major version build that gets bug fixes.
• Deleting files from previous layers still weigh the image down.
• Delete them before you commit the layer (in the same RUN instruction.)
• Use multi-stage builds to cherry-pick artifacts into images.

23. Under the hood

24. Linux kernel

25. Namespaces
Namespaces provide a layer of isolation. Each
aspect of a container runs in a separate
namespace and its access is limited to that
namespace.

26. pid
mnt
net
uts
cgroup
ipc
user

27. pid namespace
init

28. pid namespace
init

29. pid namespace
init

30. pid namespace
init

31. pid namespace
init
9596
(67)
9503

32. pid namespace
init
4026532294
9596
(67)
9503

33. pid namespace
init
6fe668f0aa02
34ca95f504ba

34. mnt namespace
• Isolation of mount points for a group of processes.
• Mount operations do not propagate to the root filesystem.
• Uses pivot_root to change the root filesystem.
• Docker handles other specified mounts, and unmounts the original
root filesystem.

35. net namespace
• Isolation of network interfaces.
• Only virtual interfaces can be added to a net namespace.
• Docker uses a bridge virtual interface for containers by default.

36. net namespace
• Virtual interface appears as the
physical interface in the
namespace.
172.17.0.0/16
172.17.0.4
172.17.0.3
172.17.0.2

37. uts (unix timesharing system)
• Hostname and domains.
cgroup
• System resources allocation (cpu, memory.)
ipc (inter-process communication)
user

38. Summary
• A ‘container’ is a set of linux namespaces with a ‘jailed’ view of the
filesystem.

39. Summary
• A ‘container’ is a set of linux namespaces with a ‘jailed’ view of the
filesystem.

40. Logging

42. Multiple processes in a single container
• Generally advised to use separate containers where possible.
• Can use a process manager (forego, supervisord.)

43. In summary
• Use stdout and stderr for logging.
• Don’t create your own logging mechanism (i.e. mounting volumes from the
host to log to.)
• Separate each process in your application into its own container.
• Use a process manager if you have to bundle them together.