The underlying technology that Docker (Linux container) relies on

Source: Internet
Author: User

1 Namespace

To do the isolation of the PID, with the namespace, in the Docker container, it is a complete Linux world. In host view, container process, is an ordinary host process, namespace provide this PID mapping and isolation effect, host container, like creators create a paradise.

2 Cgroups

In my other blog post, there is a detailed description of how Cgroup can isolate memory, CPU and IO rates, and cgroups

3 Chroot

How in the container, see the file system, is a complete Linux system, have/etc,/lib, etc., through chroot implementation

4 Veth

container, the implementation of Ifconfig can see eth0 network card, how to communicate it? In fact, in the host virtual a network card out (VETH73F7), with the container in the network card to do the bridge, all the traffic from container out to host the virtual network card, into the container traffic is also the case.

5 Union FS

For this overlay file system, there is a very good implementation is aufs, in Ubuntu compared to the new release version is self-brought, this can be done with a file for the granularity of Copy-on-write, for the massive container of the instant start, providing technical support, will also help with ongoing deployment. However, file-size Copy-on-write brings a problem, that is, when you modify large files, you need to copy the entire large file for modification, the efficiency is worrying.

6 Iptables, NetFilter

Mainly used to do IP packet filtering, such as can do container between the communication, container can not access the host network, but can be accessed through the host network card networks such as Internet policy

7 TC

Mainly used to do traffic isolation, bandwidth limitations

8 Quota

Used to do disk read and write size restrictions, different from cgroups control of Blkio, quota is used to limit the size of the user's free space

9 Setrlimit

You can limit the number of open processes in container, limit the number of open files, etc.

We hope that we will understand and explore every bit of technology more deeply. The above is some basic Linux container technology, Docker basically realized the first five technologies, with Libcontainer to do a layer of encapsulation, to achieve a complete security container technology, Docker still have some way to go, Looking forward to the improvement of Docker, we can pay more attention to this 2014 's hottest open source technology, docker!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.