To make it easy, I have already made a video on it. If you are a visual learner, you may watch the video.
For those who like to read, let's start from here.
Before starting the inner workings of Docker, let's clear the basics first.
What is Docker?
It is a tool that is used to run containers and build images. It gives us CLI + API as well to work with containers programmatically. Apart from software, Docker have made multiple standards around container technology, which is governed by OCI
What are containers?
Containers are the isolated entities that contain the application and its dependencies along with configuration that can easily run on a container host. for example. MySQL database container. Using the MySQL container, you can easily and quickly start the MySQL server without messing with dependencies on the actual host because the container comes along with all the things required for MySQL to function properly.
What are Images?
Images are the blueprints that define what the container should contain and how the container should function. Using images, a container is started because all the required files and configuration are present inside the image.
The flow of docker command to start the container
Docker CLI
It is a simple client that translates our Docker command into an API request. The API request is then sent to the Docker Daemon.
Docker daemon
It is a background process that is listening for the API call, & it is responsible for interpreting the call and instructing its component to take action in the described way. So basically when you run Docker, it means you are running the docker daemon (background process in linux are called daemons)
ContainerD
It is called the container runtime interface. It takes the instruction for container creation and management. Along with container actions, it also manages the image management. When we call, docker pull image_name containerD is invoked by the Docker daemon, and it starts pulling the image and stores and manages it.
RUNC
ContainerD is not all alone when it comes to creating & managing containers. At a very low level, containers are made using 2 features of Linux called NameSpaces & C-Groups. The creation & management of namespaces & c-groups is handled by runc that is why it is called as low level container runtime.
1. What are Namespaces?
Namespaces are the feature of the Linux kernel that allows it to isolate a running process. For example, if the process is in example_namespaces, then it can only see and communicate with other processes in example_namespaces. There are different types of namespaces for different tasks. You can use this article for learning about namespaces in detail.
2. What is C-Groups?
Cgroups are also the feature of the Linux kernel that allows it to allocate precise hardware resources to a running process. Resources like the CPU, RAM, storage, network I/O and more. For example, if 512MB of RAM is allocated to a particular process, then it cannot use more than that because C-Group is present to limit it.
What are specifications?
There are standards on how to use images and run the containers. These specifications are made to ensure the container technology is functioning in the same manner on any system. Either it be a desktop or raspberry Pi , Ubuntu or Arch does not matter; the container will function the same because of the standards.
These standards are made by OCI. OCI is launched by Docker.
You can view the specification by running a command runc spec. It will generate a config.json file, and it consist of an example specification file that can be used by Docker to start containers.
Inside the container
Containers are supposed to run a single application inside it. The application can run multiple child process inside the container. But every process running inside the container is running on the host. There is nothing in between the process and kernel of the host. This is what makes it different from a virtual machine, which uses a hypervisor in between.
In the above image, you can clearly see the process of the container being named with the ID of the containers. The process in highlight and the ID of the container are the same. So you may ask, Where is the isolation then? The isolation is created by Namespaces & C-Groups.
Conclusion
The containers are fast because the process inside the container is running on the same host machine and is only separated by using namespaces & cgroups.
My social Links
X Profile On X I keep posting about technologies & programming-related information.
Top comments (3)
That is a good explanation. Btw that youtube video is also very informative.
Great explanation of the inner working of Docker. The Youtube video looks more appealing. Keep up the good work!
Great article! I appreciate how you broke down Docker's inner workings in such a clear and concise way. It really helps demystify the underlying architecture. Keep up the excellent work