Basic Concepts: Containers, LXC, and Docker
To understand container technology, we have to start with Linux Cgroups and Namespaces, both are isolation concepts within the Linux kernel.
- Namespaces: A concept originally developed by IBM, a Linux namespace wraps a set of system resources and presents them to processes within the namespace, making it look as if they are dedicated to the processes.
- Cgroups: Originally contributed by Google, Cgroups is a Linux kernel concept that governs the isolation and usage of system resources, such as CPU & memory, for a group of processes. For example, if you have an application that is taking up a lot of CPU cycles and memory, such as a scientific computing application, you can put the application in a Cgroup to limit its CPU and memory usage.
Both Namespaces and Cgroups are resource management tools within Linux that help isolate system resources for processes. They together form the foundation of modern-day virtual containers.
What is a container?
Virtual containers have roots in FreeBSD jails and Solaris Zones. But it was Linux Containers – LXC – that helped establishing containers as a virtualization technology suitable for cloud data centers.
LXC is a Linux operating system-level virtualization method for running multiple isolated Linux systems on a single host. The Namespaces and Cgroups features made Linux Containers possible.
Containers decouple applications from operating systems, which means that users can have a clean and minimal Linux operating system and run everything else in some form of containers. Also, because a container offers a convenient unit to encapsulate a small application component, it becomes an infrastructure of choice for building micro-service applications, which enables more manageable application infrastructure and continuous application deliveries. Figure 1 shows a conceptual comparison between a monolithic application and a microservice equivalent that is developed with virtual containers.
Figure 1: Monolithic applications vs. containerized micro-service applications
Docker came along later. Originally it was a project to build single-application LXC containers. Since then, Docker has made several significant advances to the container concept, including moving away from LXC as the container format. Docker containers let users easily deploy, replicate, move, and back up a workload, thus giving cloud-like flexibility to any infrastructure capable of running Docker.
For these reasons, Docker is often credited as the development that led to the modern-day popularity of virtual containers. We’ll discuss why Docker is different from LXC a bit later in this post.
How are containers different from VMs?
Virtual Machines (VMs) virtualize hardware. Every guest VM includes a separate copy of an Operating System on top of the host OS but shares the host’s hardware with other VMs on the same host. Containers, however, virtualize the Operating System – every container has its own CPU, memory, block I/O, network stack and so on, but uses the host’s Operating System as other containers on the same host.
Figure 2 shows the difference between hypervisor-based virtualization versus container virtualization.
Figure 2: VMs vs. containers
- Still confused? This Containers 101 Chart may better explain the definition of containers and its differences.
- Watch Container Security v.s. Virtual Machine Security and listen to our CTO John Morello go into details about the security differences between Container and Virtual Machines.
- Read Container Whitepaper Chapter 2 to find out more about Docker and its components.
- Get The Ultimate Guide to Container Security and know the ins and outs on securing your container.
- Container Security
Geek Guide: Deploying Kubernetes with Security and Compliance in Mind
Guide to Modernizing Traditional Security
Containers for Better Application Defense
Modern App Security Requires Containers – Dockercon EU 2017 Panel
Get Stronger Security through Containers and Machine Learning – Dockercon EU 2017 session