Docker is one of the pioneering, largest and user friendly container providers. Docker uses a client-server architecture. The command line will act as a client, all our requests will be sent from the command line. A server may or may not be present locally. A daemon, running on the server will accept all the requests and do all the hard work(building, creating, downloading, etc container images) of serving this request.
What happens when we run ‘docker run image_name’ our command line?
Lets say we want to pull MySQL image from the registry.
docker run mysql runs a particular image in a new container. Every time we run the above command, a new container will be created.
- A request will be sent to the daemon on server to run that MySQL image in a new container.
- Daemon will check if MySQL image is available in the local registry.
- If it is available, then it will simply run it in a new container.
- If not, then it will pull MySQL image from the Docker Hub using
docker pull mysqland then run it in a new container.
Core Elements of Docker
Container – Provides an isolated environment for an application running on the host where multiple other applications are running.
Images – Read-only templates that contain a runtime environment involving libraries and applications. Multiple containers can be built from an image. Images can be easily created, updated or downloaded for immediate use.
Registries – A docker image may be public or private. All the images are stored in a registry. Docker Hub is a well known public registry. Any developer can upload/download container images to/from the Docker Hub.
How are the containers kept isolated?
Docker containers uses several standard Linux kernel features to create the isolation.
- Namespaces – Protect container’s interaction between each other.
- These are generally used to protect resources from the processes running on the system
- Docker creates namespace for each individual containers. Namespaces protect containers from interacting with each other unnecessarily.
- Kernel places resources inside a particular namespace. Processes that are members that namespace can see those resources and they can only use those resources. Resources may include network interfaces, process id list, mount points, IPC resources and system’s hostname information.
- Control Groups – Protect container’s interaction to the host
- cgroups makes sure that containers do not borrow more than required resources from the host.
- It places a restriction on the amount of system resources the process belonging to a specific container can use.
- SELinux – Protect containers from each other and protect host from the containers running on top of it.
- SELinux is a mandatory access control system.
- Standard SELinux type enforcement is used to protect containers from using too many of it’s host’s resources.
- SELinux Multi Category Security(MCS) is used to protect containers from each other, by placing each container’s processes in a unique category.