Photo by Andrew Shelley on Unsplash
Docker internals
A beginner-friendly explanation
Table of contents
- Intro
- The heroes of Container isolation — native to the Linux kernel
- How do they work inside Docker
- Process isolation and security
Intro
If you are here I’m assuming you have already read about what Docker is and all the essential parts that it is comprised of (client, host, containers, images, registry, etc.).
We are not here to talk about the architecture of Docker but to understand how exactly a container is any different from an application running on your computer.
Source: https://www.educba.com/docker-containers/
Docker containers are processes running on a single host OS kernel on a machine.
a process is the instance of a computer program that is being executed by one or many threads. Wikipedia
a thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically a part of the operating system. Wikipedia
Isolation is provided on a per-container level by the Docker Engine. Using containers, multiple applications can be deployed to a single bare metal server without any conflict between the applications.⁵
A bare-metal server is a physical computer server that is used by one consumer, or tenant, only. Wikipedia
So now what you are here for is to understand “How exactly does this magical thing actually isolate applications without any conflict?”
The heroes of Container isolation — native to the Linux kernel
Source: https://www.networkcomputing.com/data-centers/docker-containers-9-fundamental-facts
Namespaces in Linux
Namespaces are a Linux kernel feature that allow the partitioning of the resources for a set of processes.¹
They have been part of the Linux kernel since 2002.
The kernel is a computer program at the core of a computer’s operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. Wikipedia
Over time more tooling and namespace types have been added. Real container support was added to the Linux kernel only in 2013, however, this is what made namespaces really useful and brought them to the masses.
The host kernel has a namespace and every container running on the host kernel has its own namespace. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.⁴ Hence there are parent and child namespaces.
An Example of Parent and Child PID Namespaces:
In the diagram below, there are three PID namespaces — a parent namespace and two child namespaces. Within the parent namespace, there are four processes, named PID1 through PID4. These are normal processes that can all see each other and share resources.
The child processes with PID2 and PID3 in the parent namespace also belong to their own PID namespaces in which their PID is 1. From within a child namespace, the PID1 process cannot see anything outside. For example, PID1 in both child namespaces cannot see PID4 in the parent namespace.
This provides isolation between (in this case) processes within different namespaces.²
Source: https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/
Control Groups in Linux
Control Groups (cgroups) are a feature of the Linux kernel that allows you to limit the access processes and containers have to system resources such as CPU, RAM, IOPS (Input Output Operations Per Second), and network.⁷ They allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored.⁸
How do they work inside Docker?
Docker is written in the Go programming language and takes advantage of several features of the Linux kernel to deliver its functionality.
Docker uses namespace technology to provide the isolated workspace (ie. container). When you run a container, Docker creates a set of namespaces for that container. Each container has its own namespace and its own control group.
Let’s explain these two in even simpler terms — Cgroups limit resource usage whereas namespaces limit the resources a process can see.¹
Source: https://bikramat.medium.com/namespace-vs-cgroup-60c832c6b8c8
There are several different types of namespaces in a kernel that Docker makes use of, for example:
NET-Network: Provides a container with its own view of the network stack of the system (e.g. its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, etc.).
PID-Process ID: The PID namespace gives containers their own scoped view of processes they can view and interact with.
MNT-Mount: Gives a container its own view of the “mounts” on the system. So, processes in different mount namespaces have different views of the filesystem hierarchy.
UTS-UNIX Timesharing System: It allows a process to identify system identifiers (i.e. hostname, domain name, etc.). UTS allows containers to have their own hostname and NIS domain name that is independent of other containers and the host system.
IPC-InterProcess Communication: Responsible for isolating IPC resources between processes running inside each container.
USER: This namespace is used to isolate users within each container. It functions by allowing containers to have a different view of the uid (user ID) and gid (group ID) ranges, as compared with the host system. As a result, a process’s uid and gid can be different inside and outside a user namespace, which also allows a process to have an unprivileged user outside a container without sacrificing root privilege inside a container.³
Process isolation and security
We have seen that in Docker containers, each application or container is isolated from others, but they use the same root. This provides the advantage of simplified management, although it also leads to a few disadvantages. For instance, if the root is compromised, the host containers could be at risk. Hypervisor solutions, in contrast, provide more or less complete isolation, depending upon the requirements.⁶
[1]: Kumar, S. (2022). Basics of Container Isolation — Dev Genius. [online] Medium. Available at: https://blog.devgenius.io/basics-of-container-isolation-5eabdb258409 [Accessed 18 Sep. 2022].
[2]: [Scott van Kalken of F5](nginx.com/people/scott-van-kalken "Scott van Kalken of F5") (2021). What Are Namespaces and cgroups, and How Do They Work? — NGINX. [online] Available at: https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/ [Accessed 18 Sep. 2022].
[3]: Preethi Kasireddy (2016). A Beginner-Friendly Introduction to Containers, VMs and Docker. [online] Medium. Available at: https://medium.com/free-code-camp/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b [Accessed 18 Sep. 2022].
[4]: Docker Documentation. (2022). Docker overview. [online] Available at: https://docs.docker.com/get-started/overview/ [Accessed 18 Sep. 2022].
[5]: Introduction to Container Security Understanding the isolation properties of Docker. (2016). [online] Available at: https://www.docker.com/wp-content/uploads/2022/03/WP_IntrotoContainerSecurity_08.19.2016.pdf.
[6]: Network Computing. (2015). Docker Containers: 9 Fundamental Facts. [online] Available at: https://www.networkcomputing.com/data-centers/docker-containers-9-fundamental-facts [Accessed 18 Sep. 2022].
[7]: dockerlabs. (2022). Lab: Control Groups (cgroups). [online] Available at: https://dockerlabs.collabnix.com/advanced/security/cgroups/#:~:text=Control%20Groups%20(cgroups)%20are%20a,resources%20available%20to%20Docker%20containers. [Accessed 18 Sep. 2022].
[9]: Man7.org. (2021). cgroups(7) — Linux manual page. [online] Available at: https://man7.org/linux/man-pages/man7/cgroups.7.html#:~:text=Control%20groups%2C%20usually%20referred%20to,a%20pseudo%2Dfilesystem%20called%20cgroupfs. [Accessed 18 Sep. 2022].