Running docker container internals - isolation visualization

byNikhil Ranjan
1

Docker container provides isolated environment to application using Linux namespace and Linux control groups(cgroups). Setup-Docker-and-build-docker-image highlights how underlying Linux Kernel features of namespace and cgroups helps to achieve isolation. 

In this article we will visualize containers isolation - what the environment is like inside the container?. A container is a single isolated process running in the host OS, consuming only the resources that the app consumes and without the overhead of any additional processes

Spawn a container with docker image created in Setup-Docker-and-build-docker-image. Use following command to check no container is running and execute run command. 

n0r0082@m-c02z31rnlvdt nodeJsApp % docker ps                                                    
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
n0r0082@m-c02z31rnlvdt nodeJsApp % 
n0r0082@m-c02z31rnlvdt nodeJsApp % 
n0r0082@m-c02z31rnlvdt nodeJsApp % docker run --name nodeapp-container -p 8080:8080 -d nodejsapp
5b348e44481592a7076b3d1ca6b40a156ef5bc044526b94e331babda1f23cc8a

"docker ps" command indicates no container is running. "docker run" command run a new container called nodeapp-container from the nodejaspp image. The container will be detached from the console (-d flag), which means it will run in the background. Port 8080 on the local machine will be mapped to port 8080 inside the container (-p 8080:8080 option). 

Container is started with image, now Listing running containers using "docker ps" command.  

n0r0082@m-c02z31rnlvdt nodeJsApp % docker ps 
CONTAINER ID   IMAGE       COMMAND         CREATED         
STATUS         PORTS                                       NAMES
5b348e444815   nodejsapp   "node app.js"   7 minutes ago   
Up 7 minutes   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   nodeapp-container

What the environment is like inside the container?

Isolated process namespace

Since from host machine terminal we can't directly access container, run a shell inside the container. We will run command in container shell to visualize how isolation is enforced. Execute "docker exec -it nodeapp-container bash" to run a bash shell in container. The bash process will have the same Linux namespaces as the main container process. This allows us to explore the container from within and see how Node.js and our app see the system when running inside the container. 

n0r0082@m-c02z31rnlvdt ~ % pwd
/Users/n0r0082
n0r0082@m-c02z31rnlvdt ~ % docker exec -it nodeapp-container bash
root@5b348e444815:/# 
root@5b348e444815:/# pwd
/
root@5b348e444815:/#

"pwd" command run inside host terminal prompt "/Users/n0r0082" and "pwd" command in bash prompt "/".

Run "docker ps -aux"command in container bash to check # of process running and run same command in host terminal to differentiate between them. Bash terminal list 3 process which includes app.js, do not see any other processes from the host OS. Host os process count is 685 and container process count is 5.


If you are running docker client on mac, you can open shell in container from UI and execute command like "pa aux".
1. Open CLI terminal.


2. Run command "ps aux".

A container’s processes run in the host OS(i.e: process running in the container does run in the host OS). Below command from docker daemon terminal gives pId of container process running in host OS. 

$ ps aux | grep app.js

Both processes has different IDs inside the container vs. on the host. The container is using its own PID Linux namespace and has a completely isolated process tree, with its own sequence of numbers.

Isolated filesystem

Like having an isolated process tree each container also has an isolated filesystem.

  • Listing the contents of the root directory inside the container will only show the files in the container and will include all the files that are in the image plus any files that are created while the container is running. 
  • Run "ls" command from both container CLI and host terminal. We can spot difference with respect to files present and its count. 


An application running within container will not only see its own unique filesystem, but also processes, users, hostname, and network interfaces.


Reference: Kubernetes in Action By Marko Lukša

 

Tags:

1 Comments

  1. wafababicMar 3, 2022, 3:55:00 PM

    Casino City - DRMCD
    You can find 양주 출장안마 all casino city games on the site. No membership needed. You can choose the casino game you want. 남양주 출장마사지 The casino ‎Top 영주 출장샵 Slots · ‎Roulette · ‎Online · 사천 출장마사지 ‎Duel 영주 출장샵 Casino

    ReplyDelete
Previous Post Next Post