Containers are an operating system-level isolation mechanism for running processes and other system resources from other containers and the base system.
Containers are not conceptually new, dating back to around the 1970s, but they gained rapid adoption starting in 2012 when several Linux distributions began integrating containers tools generally made it more practical to use them. Previously, to use containers a developer would need to use a less common operating system or distribution customized with some sort of virtual machine feature. Using containers was basically not supported in typical deployment scenarios.
The following resources do a great job of explaining where the containers concept came from, how they differ from virtual machines and why they are useful.
The Missing Introduction To Containerization
truly grants what its title sets out to do: give a wide-ranging overview
and history of container concepts and tools. The post is dense but well
worth the read to start learning about chroot
, Solaris zones, LXC,
Docker and how they've influenced each other throughout
the past 40 years.
A brief history of containers has some solid context for why containers have taken off in the last several years, including the integration of operating system container virtualization in most distributions as well as the creation of management tools such as Docker, Kubernetes, Docker Swarm and Mesosphere.
Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs compares and contrasts the designs of Linux containers, zones, jails and virtual machines. Containers typically take advantage of primitives but are more complicated because they have more individual parts put together while zones and jails are designed as top-level operating system components. There are advantages and disadvantages of these approaches that you should understand as you use each one.
Containers and Distributed Systems: Where They Came From and Where They’re Going is an interview that digs into the past, present and future of containers based on the experience of Chuck McManis who has worked on building jails and other process isolation abstractions into operating systems.
Linux containers in a few lines of code
shows how containers work by providing some code to run a busybox
Docker image but without using docker. It then explains what's
happening under the hood as you run basic commands such as /bin/sh
.
A Practical Introduction to Container Terminology has both some solid introductory information on containers as well as a good description of terms such as container host, registry server, image layer, orchestration and many others that come up frequently when using containers.
Containers from scratch
explains how Linux features such as cgroups
, chroot
and namespaces
are used by container implementations.
Container networking is simple shows that container networking is nothing more than a simple combination of the well-known Linux facilities such as network namespaces, virtual Ethernet devices (veth), virtual network switches (bridge) and IP routing and network address translation (NAT).
Running containers without Docker reviews a migration path for an organization that already has a bunch of infrastructure but sees advantages in using containers. However, the author explains why you can use containers without Docker even if you eventually plan to use Docker, Kubernetes or other container tools and orchestration layer.
Datadog's 2020 Container Report contains some interesting statistics about container usage across their customer base, such as Kubernetes adoption and container deployments by cloud platform.
mocker is a Docker imitation open source project written in all Python which is intended for learning purposes.
You can get started using containers once you understand some of the terminology and work through a couple of introductory tutorials like the ones listed above. Check out the below resources when you want to do more advanced configurations and dig deeper into how containers work.
Linux containers in 500 lines of code is a bonkers in-depth post about building your own simplified, but not simple version of Docker to learn how it works.
A Comparison of Linux Container Images presents data on many of the frequently-used base container images.
7 best practices for building containers provides Google's recommendations for creating containers such as include only a single application per container, make sure to use descriptive tags and build the smallest image size possible.
Building healthier containers examines how Docker containers are different from virtual machines and digs into dependencies that can be included in your container image if you do not know how to properly build them.
Containers patterns covers common usage patterns that have developed now that containers have been in development workflows for a few years.
Container security is a hot topic because there are so many ways of screwing it up, just like any infrastructure that runs your applications. These resources explain security considerations specific to containers.
A Practical Introduction to Container Security examines security at build time for projects and how to minimize the risk of supply chain attack. It then goes into infrastructure and runtime security where you need to understand different attack vectors and minimize malicious attempts against your containers during these phases..
Building Container Images Securely on Kubernetes discusses some of the issues with building containers and why the author created img as a tool to help solve the problems she was seeing.
Making security invisible is a great presentation that covers sandboxes, Seccomp and other concepts for isolating potentially unsafe code to limit attack scope.
10 layers of Linux container security explains many of the attack vectors you need to be aware of when you are working with containers.