docker/containers
Tags: computers
Overview
- Build on linux namespaces and cgroups
- Namespaces segregate the system by allowing each container to have its own view of the system, via process ID’s, network interfaces, etc
- Control groups segregate the physical hardware between them
- Capabilities splits the privleages of the root user into distinct units that can be managed
seccomp
filters system calls made by processes to restrict kernel functionality
Runtimes
- LXC - tools, templates, and library and language bindings that use the kernel containment features directly - https://linuxcontainers.org/
libcontainer
- golang library created for docker that uses the kernel containment featuresrunc
- portable container runtime that implements the OCI spec, cli wrapper for libcontainer
High Levels
- Docker - container engine, used to use LXC but then switched to libcontainer/runc
- rkt - podnative design that was built by CoreOS (no longer developed)
containerd
- daemon that manages the complete container lifecycle, from image transfer to exec to supervision. Used by kubernetes (k8s) and docker internally- CRI-o - lightweight container engine specifically for kube, alternative to running kube