The underlying technology that Docker (Linux container) relies on

1 Namespace

To do the isolation of the PID, with the namespace, in the Docker container, it is a complete Linux world. In host view, container process, is an ordinary host process, namespace provide this PID mapping and isolation effect, host container, like creators create a paradise.

2 Cgroups

In my other blog post, there is a detailed description of how Cgroup can isolate memory, CPU and IO rates, and cgroups

3 Chroot

How in the container, see the file system, is a complete Linux system, have/etc,/lib, etc., through chroot implementation

4 Veth

container, the implementation of Ifconfig can see eth0 network card, how to communicate it? In fact, in the host virtual a network card out (VETH73F7), with the container in the network card to do the bridge, all the traffic from container out to host the virtual network card, into the container traffic is also the case.

5 Union FS

For this overlay file system, there is a very good implementation is aufs, in Ubuntu compared to the new release version is self-brought, this can be done with a file for the granularity of Copy-on-write, for the massive container of the instant start, providing technical support, will also help with ongoing deployment. However, file-size Copy-on-write brings a problem, that is, when you modify large files, you need to copy the entire large file for modification, the efficiency is worrying.

6 Iptables, NetFilter

Mainly used to do IP packet filtering, such as can do container between the communication, container can not access the host network, but can be accessed through the host network card networks such as Internet policy

7 TC

Mainly used to do traffic isolation, bandwidth limitations

8 Quota

Used to do disk read and write size restrictions, different from cgroups control of Blkio, quota is used to limit the size of the user's free space

9 Setrlimit

You can limit the number of open processes in container, limit the number of open files, etc.

We hope that we will understand and explore every bit of technology more deeply. The above is some basic Linux container technology, Docker basically realized the first five technologies, with Libcontainer to do a layer of encapsulation, to achieve a complete security container technology, Docker still have some way to go, Looking forward to the improvement of Docker, we can pay more attention to this 2014 's hottest open source technology, docker!