Docker is an open source platform which enables you to isolate your applications from underlying infrastructure, enabling you to deliver software quickly.
Docker containers are lightweight. Docker containers are loosely isolated from the host and they are secure. This enables you to run multiple containers simultaneously on the provided host.
Unlike virtual machines, containers do not have full operating system installed on them. So, they consume less computing resources, less storage and less memory. Thus, on a given configuration, the number of containers you can run is more than the number of virtual machines you would run.
In this article we will have look at some of the internals of docker and how does it work.
Docker as Layered Onion
Let’s imagine that Docker is like layered Onion. It has three layers CLI, HTTP API Layer and the Docker Engine.
The CLI interacts with docker engine. It internally uses Docker APIs for this purpose.
The Docker API lets you interact with Docker Engine. The engine can be either on the same machine or it can be on remote machine.
The Docker Engine is a long running program dockerd or daemon. This process is responsible for managing the Docker objects like images, containers, network and volumes.
Docker Building Blocks
The Docker uses client server kind of architecture.
The Docker client can interact with sever process (i.e. Daemon) and Daemon does all the heavy work of building , running and distribution of your application. The daemon and the client can either run on the same machine or they can be on different machines interacting through APIs.
The daemon is the long running process which does all the important work. It listens for the Docker API and manages objects.
Docker daemon can also talk with other daemons using the APIs.
The Docker registry is the place where all the Docker images are stored. There is a public registry which anyone can access called as Docker Hub. It is the default registry. If you do not specify the registry in docker command then it will interact with docker Hub registry.
When you perform Docker Pull, it pulls the Docker image from registry to local store.
When you perform Docker Push, it tries to push the image to the registry
When you perform Docker run, it checks if the image is locally available. If not, docker tries to pull image from registry.
Let’s discuss a bit about important docker objects.
The images are the templates which have instructions to create a running container. Often the images are based on other images e.g. you may have taken Linux image as base image and then further customize it to have a web server and your application code.
Physically, docker image is a dockerfile which has instructions. Each line is instruction for creating a layer. If you change any instruction, only the affected layers are rebuilt.
These are runnable instances of docker images. You can create the container, start it, stop it, move it or remove it.
A container is well isolated from the host machine or the other containers running on it. Optionally you can also specify the level of isolation.
The containers are defined by imamge as well as configuration options specified during create or start operation.
Services allow you to scaling of containers. You can define how many number of replicas of service must be available at any given time. By default, they are load balanced and hence they appear to be single instance to the consumer.
Other Important Terms
Let’s have a look at some important terms.
When you run a docker container, it creates number of namespaces internally.
Every aspect of container runs in separate namespace. Its access is also limited to that namespace.
Most common namespaces include:
- pid namespace for process identification
- net namespace for networking related aspects
- mnt namespace for managing file system mount points
- ipc namespace for managing Inter process communication
- uts namespace for isolating kernel and version identifiers
A control group limits the application to specific set of resources. They allow docker engine to share the available resources to containers and if required, enforce limits or constraints on their usage.
Union File Systems
Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, etc.
The Docker engine combines namespaces, control groups and Union File system into container format. The default format is libcontainer.
This article tried to summarize the building blocks in Docker and some important terms. I hope this was informative. Please do comment and let me know your thoughts.