Introduction

traditional runtime env is physical/virutal host

self contained, no dependency problems

portable, platform independent

OCI

Open containers initiative ensures compatibility between containers created in different container engine env

Architecture

build on top of linux kernel features

namespaces provide strict isolation at kernel level

cgroups provide resource allocation to ensure dedicated resources to containers

selinux helps enforce security, can also secure access to containers from the kernel

Container Images

Built in multiple layers of filesystem

Immutable - any changes go into a new image

UnionFS allows container to see simple merged file system

Most frequently changes should be on the top layers to speed up docker build

Container Solutions

LXE

Podman

[[Docker]]

2013 Made containers big due to registry, dockerhub

Networking

Ports

Each container gets an IP from the network it is attached to.

issue, publishing ports as -p 8080:8080 opens them to the world, prefer to use -p 127.0.0.1:8080:8080

Hosts within the same L2 segment (for example, hosts connected to the same network switch) can reach ports published to localhost. For more information, see moby/moby#45610

DNS

Containers inherit the DNS settings of the host.

Containers DON’T inherit entries defined in /etc/hosts, use --add-host flag in docker run to specify container specific host entries.

Containers in custom network, use docker embedded DNS server, and forward external DNS queries to DNS as defined on host.

Container’s hostname defaults to it’s ID in docker, but can be overridden with --hostname.

DNS servers can be specified on per container basis using the --dns, --dns-search, --dns-opt flags with docker run