Skip to content

Container

Modern Docker containers are chroot jails with added sugar. They are:

  1. Layered - Each running container is the combination of one or more container images.
  2. Immutable - Container images, once built, are immutable. Any changes to image files in running containers will be discarded upon container removal. The only way to persistent files are via bind mounts or volumes.
  3. Easily Built - Container images are built using a recipe file called Dockerfile. They contain instructions like specifying the base image, import files from the host filesystem to the container, running commands in the container, and setting properties (like what script to run when the container starts).
  4. Portable - Running containers are chroot environments that are completely isolated from the outside environment, except for mounted volumes or port forwarding.

Docker is the inventor and original implementation of this idea. DockerHub is the cloud container registry (and building service) ran by Docker, Inc. Podman is RedHat's competiting and compatible implementation of Docker.

TODO: What is OCI?

This architectures opens a lot more opportunities for a scalable environment. Because running containers are portable, they can be easily scaled or moved to other machines with minimal changes to the things inside that container. Also, due to that property, Docker containers can be used to replicate development environments.

Clustering solutions exist: Docker Swarm is the simple cluster implementation built-in to Docker; Kubernetes is the super-fancy-complicated Google thing; Nomad is the HashiCorp implementation.

A Docker container is not a virtual machine. It uses the host's kernel, network stack, file system, and basically everything else.

A Docker container is not only a chroot jail. It is incorrect to compare it to systemd-nspawn containers or FreeBSD jails. Docker container is built upon chroot(2) that has all the fancy features as described above to speed-up environment setup and scaling, where plain chroot jails are not based on OCI images.

Last update: November 5, 2023
Created: November 5, 2023