Module Review: Docker Internals

[!NOTE] This module explores the core principles of Module Review: Docker Internals, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. Key Takeaways

  1. Containers are an Illusion: They are just processes with extra flags (clone(2)) for isolation (Namespaces) and limits (Cgroups).
  2. Namespaces (The Fence): They provide Isolation.
    • PID: Process IDs (PID 1 inside).
    • NET: Network Interfaces (eth0, localhost).
    • MNT: Filesystem Mounts (/).
  3. Cgroups (The Guard): They provide Resource Limiting.
    • CPU: Quota and Period (CFS).
    • Memory: Limits and OOM Killer.
  4. UnionFS (The Magic): OverlayFS allows multiple read-only layers to form a single read-write view using Copy-On-Write (CoW).
  5. Runtime Hierarchy:
    • dockerd (Manager) → containerd (Lifecycle) → shim (Parent) → runc (Executor).
  6. OCI Standards:
    • Image Spec: The tarball format (Manifest + Layers).
    • Runtime Spec: The execution config (config.json).
  7. Containerd vs Docker: containerd can run containers without Docker (used by Kubernetes).
  8. The Shim: Keeps the container running if the runtime daemon crashes or upgrades.
  9. Security: Root in a container is Root on the host (unless User Namespaces are used).
  10. Persistence: Data written to the container layer disappears on delete. Use Volumes to bypass OverlayFS.

2. Flashcards

Test your understanding of Docker Internals.

Which Namespace isolates Process IDs?
(It makes you PID 1)
PID Namespace
The PID Namespace resets numbering so the process sees itself as PID 1, even if it is PID 12345 on the host.
What mechanism limits CPU usage?
(Part of Cgroups)
CFS Quota & Period
The Completely Fair Scheduler (CFS) uses `cpu.cfs_quota_us` and `cpu.cfs_period_us` to throttle CPU time.
What happens when you write to a file in a Read-Only layer?
(OverlayFS strategy)
Copy-On-Write (CoW)
The file is copied from the LowerDir (Read-Only) to the UpperDir (Read-Write) before modification.
Which component actually spawns the container process?
(Low-level runtime)
runc
Runc interacts directly with the Kernel (Namespaces/Cgroups) to create the container.
What file defines the OCI Runtime Configuration?
(JSON file)
config.json
This file contains the command, environment variables, mounts, and namespace settings for the container.

3. Cheat Sheet

Command Description
lsns List all namespaces on the host.
unshare Run a program in a new namespace.
nsenter Enter an existing namespace (like docker exec).
runc list List containers managed by runc.
ctr c ls List containers managed by containerd.
mount -t overlay Manually mount an overlay filesystem.
cat /proc/$$/cgroup View cgroups for the current process.

4. Next Steps

Now that you understand the Internals, you are ready to master Orchestration.

Docker Glossary