Running an application in a Docker container right now, and it works smoothly. However, I have some trouble understanding exactly what Docker does, what an image is, and what a container is
In: Technology
In Linux -and many other UNIX-like OSes- there is a tool called `chroot` that allows you to run an application using a given directory as if it were the `/` directory. For instance:
mkdir /tmp/blah
chroot /tmp/blah /bin/bash
This will run bash using `/tmp/blah` as the root directory. Obviously, this won’t work, because there is no `/bin/bash` under `/tmp/blah`. But we can make it work by populating `/tmp/blah` with a basic Linux filesystem:
/tmp/blah/bin
/tmp/blah/etc
/tmp/blah/lib
/tmp/blah/usr
/tmp/blah/proc
…
If you populate this directory with all the files that bash needs (the bash itself, libraries, configuration files, etc) the `chroot` command will work. Note that those files don’t have to be from your running distribution: you can run Arch in a chroot in Ubuntu, for instance. The only piece that will be shared is the kernel itself.
This has been used for many years to isolate an application from the rest of the system. The thing is, an application running in a chroot can’t access anything outside the chrooted directory. This is typically done in hosting services, where you buy part of a machine to host your web page.
This has an issue: an application can be isolated from other parts of the filesystem, but running `ps` or `w` will still show other processes and users. It turns out that `chroot` does not isolate your application entirely.
The Linux kernel has something called cgroups and namespaces which solve this. With them you can launch an application like `chroot` did but actually isolating it from other processes, users, and assigning it a subset of CPUs, memory, network, etc.
So, trying to answer the questions:
– Docker is a tool to launch applications in isolated environments.
– A docker image is a .tar.gz file that contains everything required by an application to run in a chroot. For instance, an image can contain a few files to run busybox, or an entire Debian distribution.
– A container is a process + its assigned resources in the cgroup + an image.
That’s terribly simplified but you get the idea 🙂
Latest Answers