Learning resources: Linux Containers for Curious Engineers
Howdy. A few months ago, some nice folks at my $DAYJOB have asked about containers.
No, not these kind of containers, silly. :)
They asked about ‘containers’ as a concept in computing. What are containers? How does it relate to traditional VMs? What makes containers compelling? Some understanding of what a Kernel actually is can be helpful.
While ‘containers’ have been around for a long time - think Solaris Zones, Linux-VServer, OpenVZ, etc. today, a large swath of software stacks have embraced the concept of containers as created within the Linux software ecosystem.
Containers can be thought of as a form of lightweight virtualization. Processes running within a container have the illusion of running on an independent system but, in truth, many containers can be running simultaneously on the same host kernel. The container illusion is created using namespaces, giving each container its own view of the network, the filesystem, and more, and control groups, which isolate containers from each other and control resource usage. Security modules or seccomp can be used to further restrict what a container can do. The result is a mechanism that, like so many things in Linux, offers a great deal of flexibility at the cost of a fair amount of complexity. Setting up a container in a way that ensures it will stay contained is not a trivial task and, as we’ll see, the lack of a container primitive also complicates things on the kernel side.
– “Containers as Kernel Objects” by Jonathan Corbet, LWN Executive Editor
Since about 2015, I’ve been inside Docker’s universe of tooling for my paying work and for fun. I’ve also been getting acquainted with Kubernetes, a cluster management platform with containers at it’s heart. Working with container management applications and platforms like those certainly help to have a work-a-day understanding of administering ‘containers’. But, for me the clearest path to understanding the fundamental nature of containers is by discovering how the Linux Kernel presents interfaces that tools like Docker actually use. The Containers entry in LWN’s Article Index is a wonderful resource for learning about the development of container support in the Kernel which creates the illusion of process isolation for applications - from the application’s perspective, they are the only application running under the Kernel.
For studying, my advice is to take Article Index, find the latest articles, and work your way backwards in time. You can generally take the opening paragraphs of those articles as a ‘summary’ of the more technical information discussed in the body of the articles.
I find these articles particularly illuminating for understanding containers:
Wikipedia has some references to the relevant subsystems in the Linux Kernel responsible for the providing the instrumentation for creating and managing containers (quality may vary, but can be good starting points for learning):
Hope this helps you to get a bit more comfortable with the ideas around containers. I may update this article as I find good quality relevant resources. When and if I put comments on this blog, you can, too. :D