Architecture Big Picture
Container: isolated area of an OS with resource usage limits applied
To build containers, we use Control Groups and Namespaces (low level, hard-to-use kernel constructs) – note: Docker makes these easy to use.
docker command -> API -> sets up control groups and namespaces -> generates container
- Process ID (pid) – separate process tree each with its own PID 1
- Network (net) – isolated network stack – i.e. eth0, IP address
- Filesystem/mount (mnt) – separate file stack
- Inter-proc comms (ipc) – let processes use shared memory
- UTS (uts) – i.e. separate hostnames. Note: UTS = Unix Timesharing System
- User (user) – map accounts inside container to host accounts
Control Groups (aka cgroups – Windows calls them Job Objects / Control Groups)
Police system resources: portions out disk, RAM, CPU
Union file system
Note whilst Docker Engine is used for creating containers, there is a whole load of stuff plugging into it such as:
- On-prem registry
- Universal control plane
- Ecosystem – e.g. Rancher, CircleCI
Some history: dotCloud born (tool called dc) which used LXC. LXC changes were breaking Docker. So Docker replaced LXC with libcontainer. dc tool replaced by docker.
The docker daemon became a monolith (i.e. compose, authz, registry, REST API, orchestration, etc).
Kubernetes pulled in docker which already had orchestration – messy. So, Docker started refactoring.
Open Container Initiative.
Client – daemon (Docker API) – containerd – OCI (Runtime – i.e. interfaces with kernel)
Note: runc is OCI implementation.
On Windows, instead of containerd and runc we have Compute Services.
Example: creating a new container on Linux
docker container run
REST POST call to daemon
This then does a client.NewContainer(context, …) call to containerd.
containerd calls a shim which calls runc.
i.e. containerd and runc can be switched out if necessary.
And can reinstall / upgrade / restart the daemon which has no effect on running containers.
daemon: orchestration, builds, stacks, overlay-networks.
GRPC: RPC framework – https://grpc.io/
containerd is a Cloud Native Computing Foundation
Two types – Native and Hyper-V.
Native – uses Namespace isolation (i.e. runs on Host OS kernel)
Hyper-V – Windows spins up a Hyper-V kernel. i.e. 1 container per VM. To use, need:
docker container run --isolation=hyperv