Containers work at a low level by leveraging specific features of the host operating system to provide isolation and resource management. Here’s a detailed explanation of how containers function at this level:
Namespaces
Namespaces are a feature of the Linux kernel that provide isolation for various aspects of a container's environment. They ensure that each container has its own isolated instance of global system resources. The key namespaces used in containers include:
PID Namespace: Isolates the process ID number space, ensuring that processes in different containers cannot see or interact with each other.
NET Namespace: Provides each container with its own network stack, including interfaces, IP addresses, routing tables, and so on.
MNT Namespace: Isolates the filesystem mount points, so each container can have its own root filesystem.
UTS Namespace: Isolates the hostname and domain name, allowing containers to have their own hostname.
IPC Namespace: Isolates inter-process communication resources, such as shared memory segments, message queues, and semaphores.
USER Namespace: Isolates user and group IDs, allowing containers to have different user IDs from the host system.
Control Groups (cgroups)
Control groups, or cgroups, are another feature of the Linux kernel that manage and limit the resources that a container can use. They allow the allocation of resources such as CPU, memory, disk I/O, and network bandwidth to specific groups of processes. This ensures that containers do not exceed their allocated resources and can help in maintaining system stability and performance.
Union File Systems
Union file systems (such as OverlayFS) are used to create the container's filesystem. They allow multiple layers to be stacked, where each layer represents a set of changes to the filesystem. This makes containers lightweight and efficient, as they can share common layers while maintaining their own unique changes.
Container Runtimes
Container runtimes are responsible for managing the lifecycle of containers. The most common low-level container runtime is runC, which is compliant with the Open Container Initiative (OCI) specifications. It handles the creation, starting, stopping, and deletion of containers by interfacing directly with the Linux kernel features mentioned above.
Containerd
Containerd is an industry-standard container runtime that provides a higher-level API for managing container lifecycles. It builds on top of runC and adds additional features such as image managem...
