Understanding the Docker Desktop Architecture and Linux Building Block for Containers
Last Updated :
12 Dec, 2023
In this article we are going to do a technology deep dive and start understanding the foundational Linux kernel features that software like Docker is using to make the containers work and provide those isolated environments that we all use. then towards the end of this section, we'll also take a look at the docker system architecture.
The building blocks of containers
There are three technologies that make up the core of a container.
- Namespaces
- Control groups
- Union file systems
Namespaces
The technical definition of Namespaces - "A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace but are invisible to other processes."
Now simpler terms Namespaces are a way, or a mechanism used to wrap any global system resource such that the processes that are running within the namespace thinks that they have their own isolated instance of that resource, and they cannot see things happening outside of their own instance. Its just like the processes do not know what's happening outside the namespace, they are only worried about what's confined inside that particular namespace.
For example, there is a namespace called PID, the full form is Process ID namespace. The PID namespace is isolated within a container such that within the PID namespace, the process you will run will appear to be process ID number one even though there may be tons of other processes running on the host. From inside the container, we don't know anything about those host processes, and we essentially think that we are the only thing running in this system.
C groups or Control groups
The technical definition of Control groups - "a Linux kernel feature which allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored."
C groups are a Linux kernel feature that allows us to organize our processes into groups which we can then limit and monitor access to certain resources. The reason why C groups are important is that it allows us to avoid something called a "Noisy Neighbor" problem where one application is very resource hungry, and it starves the other applications of resources. By using c groups, we can isolate them from a performance perspective.
Union Mount Filesystems (OverlayFS)
The Technical definition of Union Mount Filesystems - "Union Mount Filesystems (overlayfs) allows files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system. Contents of directories which have the same path within the merged branches will be seen together in a single merged directory, within the new virtual filesystem."
OverlayFS is an example of Union Mount Filesystems that Docker uses. It allows you to take separate file systems and combine them into a unified view that you can then operate on. Let's understand this with the help of an example:
So in the image you can see we have a lower file system and an upper file system with various files. We have got file - 1, file -2b and file - 4 in the lower layer. And in the upper layer we have a different file that is file - 3 and then we also have a deleted file file - 4. When we combined these layers into the overlay we ended up with a combination of those two things where the upper layer takes precedence over the lower layer and so we have file - 1, file - 2b and file - 3.
While namespaces and C groups are sort of what make containers possible. This concept of a union map file system is what makes containers practical. Because of this layered approach we are able to share lower layers and cache those layers such that the amount of data that needs to be transferred and stored for container images is much smaller. This is because many images can share a common lower layer and then only some subset of the upper layers can be modified which enables us to move less data when we need to get a container image onto a system and allocate less space if we're running multiple copies of the same container.
Docker Desktop Architecture
This is a diagram of the Docker desktop application. On the left hand side is the client application which is the thing that we will be interacting with. In the client application there is are number of elements:
The Docker CLI: Whenever you are going to the command line and typing Docker run or Docker pull you are interfacing with that Docker CLI.
The Docker GUI: There is also a graphical user interface which is useful for browsing the images we have on your system. You can also do things like configure how much CPU and memory and disk space the docker application has access to.
Docker credential Helper: Registry is a place where we can store we can push images to and pull images from and in order to have a private registry you need some way to log in. So the docker credential helper is a mechanism to help store the necessary credentials to do the authentication for that.
Extensions: Extensions are a relatively new feature of Docker that are third-party pieces of software that plug into the client and provide additional functionalities to the user.
When you install Docker desktop on your system it also creates a Linux virtual machine. For Mac OS Docker uses a hypervisor and installs a Linux virtual machine and then within that virtual machine it sets up two things - it sets up the server host application and that is known as the docker Daemon or Docker D that exposes the Docker API. When someone executes a command from the command line that command gets passed to the Docker Daemon which is listening via that Docker API and then it executes whatever the command is specifying within that server host application.
Then there is an optional Kubernetes cluster that gets configured and installed within that virtual machine. This can be a nice to have if you are developing for Kubernetes. You can leverage that cluster directly without having to install and configure a separate cluster.
And then finally we have Registry, it is a place to store container images and share those container images with a team or with the world or with wherever you are deploying your containers to. For example, Docker Hub. Docker Daemon when it needs to get an image that it is not building locally, it will go to some registry like Docker Hub and pull that image into the host environment.
Docker Desktop walkthrough
In this section we will go through the Docker Desktop application and understand how to use it to work with containers. Firstly you can download Docker Desktop from the Docker official website. You will automatically get Docker upon installing the Docker Desktop.
When you open the Docker Desktop application, In the top left corner you will see a similar interface:
This is where you can select if you want to work on Images or Containers or any other component. Let's discuss how we can run containers, stop them and delete the container Images from the Docker Desktop interface:
Running a Container Image:
For running a Container image, select the Images section in the top left corner and you will get a list of Container Images. You can simply run the container image you want to run by clicking on the run button corresponding to it:
You will See that the Nginx container starts running:
If you have the Container image locally, you can also go to the Docker Hub in the Application it finds the container image there.
Stopping a Container
Again, stopping a container is very straight forward in the Docker Desktop UI. Firstly, go to the Containers section where you will see a list of running or stopped Containers. You can simply click on the stop button (the run button will be converted to the stop button once the Container is running).
Once you click the stop button. The Container will be stopped and the status instead of Running will say Exited:
Deleting the Container Image
For deleting the Container Image, you can simply go to the Images section and click on the Delete button.
It will ask you if you wish to Delete the image forever, if yes, the image will be removed from the memory.
Conclusion
We started out with the building blocks of containers which are Namespaces, Control groups and Union file systems. In summary, Namespaces are mechanism used to wrap any global system resource such that the processes that are running within the namespace thinks that they have their own isolated instance of that resource. Control groups are also similar to this but we use control groups for explicitly giving the control of certain resources to the processes.
Union Mount Filesystems for example OverlayFS, allows us to take separate file systems and combine them into a unified view that we can then operate on. And towards the end of the article, we discussed the Architecture of Docker Desktop.
Similar Reads
Building Lightweight Containers Using Alpine Linux and Docker Microservices is a category of architecture that allows small services to communicate over the network independently. Since it is a decentralized architectural style, each service has its own functionality, and if any service fails the rest of the services work uninterrupted. Now to host these servi
5 min read
Building Docker Development Environments: Benefits and Challenges In software development, setting up consistent and reproducible development which makes modularity also needs the environment which is the most crucial aspect of sustainable development in the application development world. Traditionally, developers faced challenges like environment configuration di
7 min read
Why do we need containers ? Need of containerization and the OCI. Docker and containerization have been the base for modern-day applications and DevOps. But do you also wonder why containers exist? and why a product like Docker has been so successful. In this article, we are going to discuss the motivation behind a tool like Docker why the developers felt the need
9 min read
Difference between Docker Image and Container Pre-requisite: Docker Docker builds images and runs containers by using the docker engine on the host machine. Docker containers consist of all the dependencies and software needed to run an application in different environments. What is Docker Image?The concept of Image and Container is like class
5 min read
How to Use Docker For Cross-Platform Containerization with Docker Buildx? Docker has completely modified the manner in which software program is evolved and deployed, with the aid of introducing containerization generation. In order to package programs with their dependencies and make certain consistency of conduct across many contexts, packing containers offer a compact
7 min read
Docker vs. CRI-O: Comparing Container Runtimes When there are so many changes happening continuously in the containerization world, selecting the proper container runtime platform is vital for performance, security, and smooth operations. Some of the well-known container runtimes are Docker and CRI-O running in the market. The following article
9 min read