Containers
Containers are just a process (or a group of processes) running in isolation, which is achieved with Linux namespaces and control groups.
Linux namespaces and control groups are features that are built into the Linux kernel. Other than the Linux kernel itself, there is nothing special about containers.
Use Play-With-Docker Play-With-Docker, which is a website where we can run terminals directly from browser that have Docker installed.
Why Containers
- Portable
- Lightweight and fast
- Better Resource Utilisation
- Easy for developer operations interface
Each container has its own set of “namespaces” (isolated view)
1
2
3
4
5
6
7
PID - Process ID
USER - User and Group ID
UTS - hostname and domainname
NS - Mount point
NET - Network devices, stacks, port
IPC - Interprocess communication, message queue
cgroup - controls limit and monitoring of resources.
We use Docker, which has been the understood standard tool for using containers to build applications.
Docker provides developers and operators with a friendly interface to build, ship, and run containers on any environment.
1: Run our first container and learn how to inspect it. Explore the Docker Hub and discover common images ready to be run.
Run a container Use the Docker CLI to run first container.
Open a terminal and run this command:
& docker container run -t ubuntu top
We use the docker container run
command to run a container with the Ubuntu image by using the top command. The -t
flag allocates a pseudo-TTY, which you need for the top command to work correctly.
The docker run command first starts a docker pull to download the Ubuntu image onto your host. After it is downloaded, it will start the container. The output for the running container should look like this:
top
is a Linux utility that prints the processes on a system and orders them by resource consumption. Notice that there is only a single process in this output: it is the top process itself. You don’t see other processes from the host in this list because of the PID namespace isolation.
Containers use Linux namespaces to provide isolation of system resources from other containers or the host. The PID namespace provides isolation for process IDs. If you run top while inside the container, you will notice that it shows the processes within the PID namespace of the container, which is much different than what you can see if you ran top on the host.
Even though we are using the Ubuntu image, it is important to note that the container does not have its own kernel. It uses the kernel of the host and the Ubuntu image is used only to provide the file system and tools available on an Ubuntu system.
Inspect the container:
docker container exec
This command allows you to enter a running container’s namespaces with a new process.
Open a new terminal. To open a new terminal connected to node1 by using Play-With-Docker.com, click Add New Instance on the left and then ssh from node2 into node1 by using the IP that is listed by node1, for example:
In the new terminal, get the ID of the running container that you just created:
docker container ls
Use that container ID to run bash inside that container by using the docker container exec command. Because you are using bash and want to interact with this container from your terminal, use the -it flag to run using interactive mode while allocating a psuedo-terminal:
$ docker container exec -it 3592d1aff390 bash
You just used the docker container exec command to enter the container’s namespaces with the bash process. Using docker container exec with bash is a common way to inspect a Docker container.
Notice the change in the prefix of your terminal, for example, root@b3ad2a23fab3:/. This is an indication that you are running bash inside the container.
Tip: This is not the same as using ssh to a separate host or a VM. You don’t need an ssh server to connect with a bash process. Remember that containers use kernel-level features to achieve isolation and that containers run on top of the kernel. Your container is just a group of processes running in isolation on the same host, and you can use the command docker container exec to enter that isolation with the bash process. After you run the command docker container exec, the group of processes running in isolation (in other words, the container) includes top and bash.
From the same terminal, inspect the running processes:
$ ps -ef