March 04, 2017

Docker Runtime Environment

Docker Runtime Environment

Containerization, the ability to run multiple isolated compute environments on a single kernel, was not introduced by Docker. Docker's contribution includes a user-friendly management model.

Two features, cgroups and namespaces, introduced into the Linux kernel around 2008, make it possible to track and partition system resources within a single kernel. These and other capabilities are packaged by runtime environment technologies such as LXC, libContainer, and RunC. The runtime environment forms  the foundation of Docker's ability to host multiple isolated containers under a single kernel.

Docker facilitates building an application image, packaging it with all its dependencies, and running it in a software container (isolated user-space processes). The container runs the same on any    Docker-supported environment: physical server, virtual machine, a cloud platform. The mantra is: “build once, run anywhere”.

Docker combines:
  • kernel features (such as cgroups, namespaces, etc.)
  • a Union File System
  • a unified, low-level container format (runC)
  • a management framework
and leverages them to build, ship and run portable, and efficient computing environments called containers on physical, virtual and cloud platforms.

Note: The entry point to the container is an executable, specifically the default executable. It is the process running with PID 1 in the container. The entry point to a virtual machine is the kernel or the init program. In a VM (and standalone Linux server), the init process has PID 1 and it is the parent of all other processes on the system.

Operating System vs. Kernel
In a lot of scenarios, the operating system with the kernel are commonly conflated. With Docker and Containerization in general, the difference is key.

A kernel is an essential subset of the operating system. It provides a low-level interface to system  resources. The operating system includes the kernel and other resources: libraries, binaries, configuration files, etc. needed by a computing platform.

With Containerization, only the kernel is shared. All other resources can be abstracted out for each container.

Before settling on RunC, Docker used the following container formats in turn:
  • Linux Container (LXC)
    • LXC is an operating system-level virtualization solution for running multiple isolated Linux systems (containers) on top of a single kernel
    • Used in Docker up until Docker v1.8
    • This is where Containers got its name
  • Libcontainer
    • provides a standard interface to making sandboxes or containers inside an OS
    • a cross-system abstraction layer that attempts to standardize how applications are built, delivered, and run in isolation
    • Introduced as the default at Docker 0.9 (LXC was made optional)
    • Provides ability to manipulate OS Containers or “lightweight virtualization" features in a consistent and predictable manner, without depending on LXC or any other isolation control packages.
      • Protects against instability or changes across distributions or installation
Image: blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/
  • runC
    • the latest Universal Runtime
    • is built on libcontainer
    • v0.0.1 was introduced in July 2015
    • a lightweight, portable container runtime
See also:

No comments:

Post a Comment