Containers - Behind the hood
DDN Suresh
DevOps Engineer @ Phoenix Contact | Terraform Certified | DevSecOps | Kubernetes | MLOps | Leveraging AI
In order to create isolated environment for containers and run applications, behind the hood, Container Run times utilizes different technologies. So what are they, how it works, what does isolation actually means in terms of containerization.
They are backed by concepts like Namespaces, cgroups, Union File System and OverlayFS.
Containers are isolated environments where the processes that are running inside them are not shared/visible to other containers. It doesn't mean they are not completely isolated even form host OS.
Host OS is aware of all processes, resources being utilized by different containers, as they are using Kernel Namespaces under the hood.
So what is Kernel Namespaces? What is it's story.
One of the technologies used by Linux containers to provide an isolated environment, is namespaces. They are used to provide a contained process with an isolated view of different Linux resources.
What does Namespace do?
The Process that allows the system to restrict the resources that containerized processes see, and that ensures none of them can interfere with another.
There are 7 types of Namespaces that provide isolation for different resources backing container applications and making possible isolation of processes.
They are:
1. Mount/mnt - virtually partitions the file system. Processes running in separate mount namespaces cannot access files outside of their mount point.
2.Process/pid - isolates the process ID number space, allowing processes inside the namespace to have their own unique set of process IDs.?
3. IPC - processes often need to communicate with each other using shared memory, semaphores, or message queues. IPC namespaces allow these communication resources to be isolated between different processes or containers.
4. Network/net - is a feature that allows you to create separate instances of network interfaces, routing tables, firewall rules, and other network-related resources. It's like having multiple isolated copies of the network stack that operate independently of each other.
5. UTS/Unix Timesharing System - provides isolation for system identifiers such as hostname and NIS domain name, allowing multiple containers or processes to operate with their own unique identity within a shared Linux system.
6. User - provide a way to map and isolate user and group IDs (UIDs and GIDs) between different namespaces, allowing processes to have different views of user and group ownership on the same system.
7. time - check out this blog for more details and understanding regarding this namespace.
In order to have a look into namespace running in your laptop, use sudo lsns cmd and you will see something similar to below attached image
Resources in order to understand above mentioned concepts in more detail.
YT Links:
Articles:
Moving forward will talk more about cgroups and more!!