Describing Docker Containers
- A container is an emulation of an operating system
-
A container engine is an environment for deploying containerized applications
- Docker is an example of a container engine
- The container engine allocates cores and memory to containers
-
An image is a snapshot of a container
- A container is an instance of an image
- Specifically, a container is a running instance of an image
-
A Dockerfile is a file containing image-instructions
- Docker builds an image by reading the instructions from a Dockerfile
- These instructions provide the container engine information to create an image
-
The following analogy can be used to describe each component:
- A Dockerfile is the shopping list
- An image is the recipe
- A container is the cake
- Containers and virtual machines can be used together:
Use Cases of Docker Containers
-
Containers can perform a task independent of the host's OS
- Containers break down configuration into code
- Containers do this without the overhead of VMs
- This allows containers to be deployed quicker while consuming fewer resources
-
Containers can run many apps on a single server in isolation
- Specifically, containers perform isolation at the OS level
- Therefore, a single OS can run multiple containers
- This decreases overhead by providing additional processing power to applications
-
Containers create well-managed production environments
- Actually, they can enforce other environments as well (e.g. development environment)
- Code changes must travel through several different environments to reach deployment
- Each environment is different in comparison
- Containers provide a constant, isolated environment
- Meaning, code quickly travels down a pipeline from the development environment to the production environment
-
Containers can consolidate more servers
- Containers use less memory compared to VMs
- Therefore, they can consolidate more servers
- They decrease the number of required servers
- This decreases the hardware costs and server management time
-
Containers are portable environments
- Containers are a form of lightweight virtualization
- This makes them extremely portable
- Cloud service providers (e.g. AWS) champion containers due to their portability
- They can be run within cloud environments easily
Differentiating between Containers and VMs
- Containers emulate an OS, whereas VMs emulate hardware
- Containers are more lightweight compared to VMs
- Containers share a host OS in contrast to VMs
- Containers start up in milliseconds, whereas VMs start up in minutes
- Containers require less memory space compared to VMs
- Containers are slightly less secure compared to VMs
- Containers maintain process-level isolation, whereas VMs are fully isolated
Advantages of Virtualization via Containers
-
Cheaper hardware costs
- Due to server consolidation
- Enables concurrent software to take advantage of true concurrency in a multicore architecture
-
Reliability and robustness
- Enables software failover and recovery
- The modularity and isolation improves reliability
- If a container breaks, the entire machine doesn't break as well
-
Scalability
- A single container engine can manage very many containers
- This enables additional containers to be created as needed
-
Spatial isolation
- Support lightweight spatial isolation
- This is because containers are given their own resources
-
More Storage
- Containers do not emulate hardware
- This makes them so lightweight in terms of storage size
-
Increased performance
- Containers increase performance compared to VMs
- This is because containers do not emulate hardware
-
Real-time applications
- Containers provide more consistent timing than VMs
-
Continuous integration
- Containers support Agile and continuous development processes
-
Portability
- Containers support portability from development to production environments
- This is especially beneficial for cloud-based applications
-
Safety
- There are some safety benefits by localizing the impact of faults and failures to individual containers
-
Security
- The modular architecture increases the difficulty of attacks
- A container that is compromised can be terminated and replaced
Disadvantages of Virtualization via Containers
-
Shared resources
- Single points of failure exist
- Two applications running in the same container can interfere with each other
- Sofware running in different containers can interfere with each other
-
Interference Analysis
- Shared resources imply interference
- The number of interference paths increases rapidly as the number of containers increases
- This makes the exhaustive analysis of all such paths nearly impossible
-
Safety
- Spatial interference can cause memory clashes
-
Security
- Data stored in containers is insecure
- Container processes are insecure
- Privileges of container services are minimized
-
Container sprawl
- Excessive containerization is relatively common
- This can increase the amount of time and effort spent on container management
Caching Images in Docker
-
Docker images are cached on a machine once the image is built
- The image will be cached in
/var/lib/docker
- The image will be cached in
- The image won't be rebuilt, unless changes are made to the image
- If changes are made to the image, then Docker will rebuild it
- If only a few changes are made to the image, the rebuilding process won't take very long
- This is because Docker only needs to process those new instructions in the Dockerfile
- In other words, Docker will not process the unchanged instructions in the Dockerfile
- This is because those components are cached already
Mounting Host Directories to Containers
- Host directories can be copied to containers
- Changes to a copied host directory on a container will not carry over to the host machine
-
Host directories can be mounted to containers using:
- Bind Mounts
- Volumes
- With bind mounts, a file or directory on the host machine is mounted into a container
- With volumes, a new directory is created within Docker's storage directory on the host machine
- Therefore, Docker manages the content of that directory
- In other words, volumes are the preferred mechanism for persisting data on the host machine after the container is gone
- Host directories are copied when building an image
- Whereas, host directories are mounted when running a container
-
Mounting a host directory as a data volume:
-v [host_dir:container_dir]
-
Copying a host directory to an image:
COPY [host_dir]
Advantages of Volumes over Bind Mounts
- Volumes are easier to back up
- Volumes are easier to migrate
- Volumes can be managed using Docker CLI
- Volumes work on both Linux and Windows containers
- Volumes can be more safely shared among multiple containers
- Volume drivers allow storage of volumes on remote hosts or cloud providers
- Volume drivers allow encryption of volume contents
tldr
- A virtual machine emulates underlying hardware
- A container emulates an operating system
-
A container has the following use cases:
- Performing a task independent of the host's OS
- Running many apps on a single server in isolation
- Creating well-managed production environments
- Consolidating more servers
- Creating portable environments
- A container engine is an environment for deploying containerized applications
- An image is a snapshot of a container
- A Dockerfile is a file containing image instructions
References
- Details about Virtualization via Containers
- Details about Virtualization via Virtual Machines
- Difference between Docker Containers and Virtual Machines
- Difference between Docker Containers and Images
- Difference between Docker Volumes and Bind Directories
- Five Functions for Docker Containers
- Docker Volumes
- Details about the Dockerfile