index.md (5444B)
1 +++ 2 title = 'Introduction' 3 +++ 4 # Introduction 5 ## What are containers? 6 Every time you create a new VM, you carry over a guest OS, which (a) consumes a lot of resources, and (b) is another attack surface for hackers. 7 8 In comparison, a container can be much smaller and lighter. 9 10 Containers vs virtual machines: 11 12  13 14 ## What features in Linux enable containers? 15 1. Control groups (cgroups): used to limit usage of resources by processes 16 - OOM killer kills processes when memory gets exhausted 17 - cgroups can be controlled with filesystem at `/sys/fs/cgroup` 18 - every PID represented once in each hierarchy 19 2. Namespaces: mechanisms allowing separation/isolation of resources that would otherwise be in global scope. can see them in `/proc/PID/ns`, or with `lsns` (in `util-linux` package) 20 - mount namespace 21 - interprocess communication (message queues, semaphores, shared mem) 22 - unix time sharing (isolates hostname and NIS domain name of a process) 23 - process ID (isolates process ID number space) 24 - network 25 - user ID 26 - control group 27 - time 28 3. Union filesystem: create union of the contents of different filesystems. used to isolate changes to container filesystem in its own layer, and avoid duplicating complete set of files every time you run an image as a new container. 29 30 31 ## Kubernetes 32 Distributed system, made of group of master nodes and one or more worker nodes, which run containers grouped in pods. 33 34 ## OCI: Open Container Initiative 35 Provides two specifications: 36 - container runtime specification: 37 - defines how: 38 - to download an OCI image 39 - to unpack that image into an OCI Runtime "filesystem bundle" 40 - the OCI Runtime runs the "filesystem bundle" 41 - image format specification 42 - defines how to create an OCI image, resulting in: 43 - image manifest: metadata about contents and dependencies of image 44 - filesystem (layer) serialization 45 - image configuration (app arguments, environments, etc.) 46 47 ## Container runtimes 48 Container Runtime Interface (CRI): lets a kubelet use different container runtimes without having to recompile. 49 50 Example runtimes: containerd, CRI-O, docker 51 52 ## Docker 53 ### Ecosystem 54 - Docker Engine: client-server app (server with daemon `dockerd`, APIs to talk to daemon, CLI client), swarm mode to natively manage a cluster of Docker Engines 55 - Docker Compose: tool to define and run multi-container Docker apps, using YAML files 56 - Docker Desktop: app that lets users build and share containerised apps 57 - Docker Hub: repo for container images 58 59 ### Engine architecture 60 61  62 63 ### Image architecture 64 Docker images have layers, and are built from declarative Dockerfiles. 65 Most commands in Dockerfile result in new layer being added. 66 After docker build the image, all layers are read-only. 67 When docker _runs_ the image, it adds a new writable layer, and any created/modified files are lost when the container stops. 68 69  70 71 Dockerfile: 72 - must begin with FROM statement, pulls base image from a registry 73 - every RUN statement executes series of commands that create new layer 74 - the COPY statement copies external files into container (also creates a layer) 75 - the EXPOSE statement indicates on which port to listen, but does not publish the port 76 - the CMD statement provides default command for container at runtime 77 78 ### Copy-on-Write (CoW) strategy 79 - read access: if layer needs read access to a file in lower layer, it uses the file directly 80 - write access: if a layer needs to modify file in lower layer, the file is copied into the layer that needs to use it, and then modified 81 - layer reuse: when you pull image from a repo, all layers are pulled separately, and if one already exists locally, it's used from the cache without pulling it again 82 83 ### Docker-compose 84 Lets you orchestrate multiple containers, including setup of networking between them. 85 Containers are described in docker-compose file, using YAML. 86 87 ### Persistent storage 88 You have a few options: 89 - volumes: 90 - stored in a part of the host FS which is managed by Docker (`/var/lib/docker/volumes/` on standard GNU/Linux) 91 - should not be modified by non-docker processes 92 - use `docker volume create`, or during `docker run`, or in a docker-compose file 93 - bind mounts: map folder on host to folder inside container 94 - can be stored anywhere on host FS 95 - can be modified by other processes 96 97 `tmpfs` is not persistent, only stored in memory. useful to temporarily store sensitive files. 98 99 ### Networking 100 By default, docker creates 3 networks: bridge, host, none. 101 When you start a container, it's attached to default bridge network. 102 103 Bridge default network: 104 - each container has its own IP address in subnet defined by default bridge network 105 - two containers refer to each other via IP 106 - not recommended for production 107 - inspect with `docker network inspect bridge` 108 109 User bridge networks: 110 - create with `docker network create <name>` 111 - uses different subnet: 172.22.0.0/16 112 113 Connect an existing container to a network with `docker network connect <network-name> <container-name>` 114 115 When containers are part of same user defined bridge network, they can refer to each other both via IP and via container name ("automatic service discovery"). 116 117 You can connect a container to the host network, at which point it's not isolated from the host network.