Container management with Docker
Container Shipyard

© Lead Image © Ulrich Müller, 123RF.com
Docker is an economical alternative to conventional virtualization. Because each Docker container shares the underlying operating system, it enjoys the resource isolation and allocation benefits of VMs but is much more portable and efficient.
Rarely has such young software raised so much attention in such a short time as the Docker [1] container manager. Docker is one of the fastest growing open source developments in the history of free software. Released in March 2013, it made it to version 1.0 in June 2014 and was declared ready for production. In the same month, Docker was already part of Red Hat's RHEL 7 release. Further cooperative agreements exist with Canonical, openSUSE, CoreOS, VMware, IBM and others. Moreover, Docker is a member of Google's Kubernetes project [2].
The image associated with the name Docker sums it up: a ship (computer) is loaded with containers that you can stack, transport, isolate, and protect (Figure 1). Docker containers in IT are isolated virtual environments for isolated execution of processes and applications. Docker is currently used primarily for developing, testing, and deploying applications and can isolate them along with their dependencies in containers. These applications have practically no overhead and can run nearly as fast as native applications.

Unlike the well-known hypervisors [3] VirtualBox, VMware Workstation, HyperV, Parallels Desktop, or Xen, a Docker container doesn't need its own operating system. Each container uses the basic functions of its host system and is therefore self-sufficient and isolated from other containers. Only the host's kernel needs to match that of the guest.
The Basics
Docker uses the group (cgroup)
[4] and kernel namespace
[5] technologies. Namespaces serve to isolate and protect, whereas cgroups ensure that the container can use the resources selectively granted to it by the host. Until version 0.8 (1.3 is the current version) Docker also availed itself of the functions of Linux Containers (LXCs) [6] but eventually developed its own API named LibContainer
in version 0.9 that is also available to other projects.
Currently, Docker is mainly used as a Platform as a Service (PaaS) [7], but it is becoming quite suitable as a resource-friendly alternative to desktop virtualization (Figure 2). Graphical tools are being developed to handle containers, and I will present one of them, Panamax, later in this article as one of the first interfaces its kind.

The Components
The Docker system consists of three main components: a daemon, a client, and images. The daemon is responsible for orchestrating the containers; the client is what you use to control Docker with commands. The client and daemon can run on the same machine or the client can contact the daemon on a data center server or over the cloud. Docker images are the equivalent of virtual machines (VMs) for VirtualBox or appliances in VMware. Compared with these, Docker images are extremely space-saving, can be stacked, and can be versioned in a CVS [8].
The Docker hub is laid out as Software as a Service (SaaS) [9] and includes the repositories that now have around 15,000 complete image recipes (Figure 3). These are different from base images, which represent a base operating system along with related images containing one or more applications. Creating your own images isn't rocket science after a bit of training, but you need to know the command language of the distribution. An example would be to create an image using WordPress, PHP, MariaDB, SSH, or Nginx.
Overlaid Layers
Thanks to the overlay functions supplied by Aufs [10] or the Device mapper [11], Docker has an efficient back end to store the containers. Each container, to put it simply, is stored as a transparent layer. These functions are the same ones that allow us to seemingly write to a Live CD (Figure 4). Quite recently, Btrfs [12] has been playing a role as well with its snapshot function. Details on the different filesystem functions for storing and managing containers can be found in Red Hat's documentation for their Atomic [13] project, a container operating system [14] still being developed.
Before I start going into details, I'll clarify things a bit. A Docker image is just a read-only template, a kind of recipe. A base image [15] provides rudimentary operating system functions and can have a parent-child relationship with other images that interact with the base image on various layers. For example, this could be an ownCloud image, which I'll get to later.
As a rule, containers consist of several images that contain all the functionality and dependencies that the content of the container (an operating system, application, or service) needs at run time. The basic handling of Docker containers is through a command-line interface resembling Git [16] and is easy to learn. The "Containers, Images, and Docker Files" box provides more information on how things work.
Containers, Images, and Docker Files
To understand better how an image is created, look at the description of the ownCloud image in the Docker hub [17]. The Dockerfile
tab shows the important parts of the image. An image also includes licensing information and a README file that goes into specifics.
It's pretty clear what this image does and why it's a template. The FROM
line at the top identifies the base image being used – in this case, Debian Stable (Figure 5). When you download Dockerfile, each line beginning with RUN
is run in sequence. First, wget
is installed with an archive key, the ownCloud repository, and its dependencies.
The template then sets pre-installations of the Apache web server, which, in this case, is in the base image or needs to be installed later. You can then load this complete image into a container where the base image is also loaded. Containers are by default isolated through "deny all" policies and can't communicate with the outside world. If you do want this, use EXPOSE
parameters with port numbers to expose. The VOLUME
parameter allows connecting with the host's filesystems or another container at a specified location. Since Docker 1.2, the containers' rights and privileges can be controlled granularly [18] so that the combination of cgroups and namespaces can meet their full potential.
A container thus consists of a base operating system with apps and metadata added by users. The image tells Docker what the container should include and, where appropriate, what command is used for startup. In the simplest case the container starts right away with a shell, although far more complicated processes can occur, such as automated test runs.
Because images are read-only, Docker opens a layer for the containers with help from a Union filesystem, such as Aufs or Device mapper. These layers are writeable (wr
), and the application runs within them. If a change occurs, such as an update, another layer is applied. Instead of changing the entire image, changes at run time are integrated only when you convert the container into an image again using:
docker commit
Docker containers come two ways: interactively started or daemonized. If the container is to execute a predetermined sequence and then stop, start it interactively with:
docker run -t -i debian:sid </command_1;command_2>
A container started with
docker run -d debian:sid /bin/bash
waits in the background for input.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
-
OpenELA Releases Enterprise Linux Source Code
With Red Hat restricting the source for RHEL, it was only a matter of time before those who depended on that source struck out on their own.
-
StripedFly Malware Hiding in Plain Sight as a Cryptocurrency Miner
A rather deceptive piece of malware has infected 1 million Windows and Linux hosts since 2017.
-
Experimental Wayland Support Planned for Linux Mint 21.3
As with most Linux distributions, the migration to Wayland is in full force. While some distributions have already made the move, Linux Mint has been a bit slower to do so.