How Docker Works | Generated by AI

Home PDF

Let’s dive into how Docker works, focusing on its use of Linux’s filesystem and how it isolates applications from each other.


What is Docker, at its Core?

Docker is a platform that allows you to package, distribute, and run applications inside lightweight, isolated environments called containers. Unlike virtual machines (VMs), which include an entire operating system, Docker containers share the host OS kernel and use its features to provide isolation and efficiency.


How Docker Works

Docker leverages several Linux kernel features to create and manage containers:

  1. Namespaces - For isolation.
  2. Control Groups (cgroups) - For resource management.
  3. Union Filesystems - For efficient storage and layering.

Here’s how these pieces come together:


1. Linux Namespaces: Isolation Mechanism

Namespaces create isolated “views” of system resources, ensuring that processes in one container don’t interfere with those in another. Key namespaces Docker uses include:

Example: If you run ps inside a container, you only see processes within that container’s PID namespace, not the host’s processes.


2. Control Groups (cgroups): Resource Limits

Cgroups limit and monitor resource usage (CPU, memory, disk I/O, etc.) for each container. This prevents one container from hogging all system resources and starving others.


3. Union Filesystems: Layered Storage

Docker uses a union filesystem (e.g., OverlayFS, AUFS) to manage container images and their filesystems efficiently. This is how it ties into the Linux filesystem:


How Apps Are Isolated from Each Other

Here’s how the above components work together to isolate applications:

  1. Process Isolation (PID Namespace):
    • Each container runs its app as an independent process tree, unaware of other containers or the host.
  2. Network Isolation (Network Namespace):
    • Containers have separate network interfaces. Docker’s default “bridge” network assigns each container a unique IP, and NAT handles external communication.
    • Example: Two Spring Boot apps can both bind to port 8080 inside their containers without conflict.
  3. Filesystem Isolation (Mount Namespace + UnionFS):
    • Each container sees only its own filesystem, built from the image layers plus its writable layer.
    • If Container A writes to /tmp, Container B doesn’t see it.
  4. Resource Isolation (cgroups):
    • One app can’t exhaust the host’s CPU or memory and crash another.
  5. Shared Kernel:
    • Containers share the host’s Linux kernel, but namespaces ensure they don’t step on each other’s toes. Syscalls are filtered or redirected as needed.

Simplified Workflow

  1. Build: You create an image with a Dockerfile, defining the app and its dependencies. Docker stacks these into layers using a union filesystem.
  2. Run: Docker creates a container by:
    • Setting up namespaces for isolation.
    • Allocating cgroups for resource limits.
    • Mounting the image layers plus a writable layer.
    • Starting your app as the entrypoint (e.g., java -jar app.jar).
  3. Cleanup: When the container stops, the writable layer is discarded (unless saved as a new image with docker commit).

Why Linux?

Docker relies on Linux kernel features (namespaces, cgroups, union filesystems) that are deeply integrated into how it operates. On macOS or Windows, Docker runs a lightweight Linux VM (via HyperKit or WSL2) to provide these capabilities, then maps them to the host OS.


Visual Analogy

Think of Docker containers as apartments in a building:


Does this clarify how Docker works and isolates apps? Let me know if you’d like a deeper dive into any part!


Back 2025.03.21 Donate