112

"docker" is a buzz word these days and I'm trying to figure out, what it is and how does it work. And more specifically, how is it different from the normal VM (e.g. VirtualBox, HyperV or WMWare solutions).

The introduction section of the documentation (https://docs.docker.com/get-started/#a-brief-explanation-of-containers) reads:

Containers run apps natively on the host machine’s kernel. They have better performance characteristics than virtual machines that only get virtual access to host resources through a hypervisor. Containers can get native access, each one running in a discrete process, taking no more memory than any other executable.

Bingo! Here is the difference. Containers run directly on the kernel of hosting OS, this is why they are so lightweight and fast (plus they provide isolation of processes and nice distribution mechanism in the shape of docker hub, which plays well with the ability to connect containers with each other).

But wait a second. I can run Linux applications on windows using docker - how can it be? Sure, there is some VM. Otherwise we would just not get job done...

OK, but how does it look like, when we work on Linux host??? And here comes real confusion... there one still defines OS as a base image for every image we want to create. Even if we say "FROM scratch" - scratch is still some minimalistic kernel... So here comes

QUESTION 1: If I run e.g. CentOS host, can I create the container, which would directly use kernel of this host operating system (and not VM, which includes its own OS)? If yes, how can I do it? If no, why the documentaion of docker lies to us (as then docker images always run within some VM and it is not too much different from other VMs, or ist it?)?

After some thinking about it and looking around I was wondering, if some optimization is done for running the images. Here comes

QUESTION 2: If I run two containers, images of both of which are based on the same parent image, will this parent image be loaded into memory only once? Will there be one VM for each container or just one, which runs both containers? And what if we use different OSs?

The third question is quite beaten:

QUESTION 3: Are there somewhere some resources, which describe this kind of things... because most of the articles, which discuss docker just tell "it is so cool, you must definitely use ut. Just run one command and be happy"... which does not explain too much.

Thanks.

Dmitrii Semikin
  • 2,134
  • 2
  • 20
  • 25
  • 2
    https://stackoverflow.com/questions/16047306/how-is-docker-different-from-a-normal-virtual-machine – Grimmy Jul 18 '17 at 21:48
  • Thanks for the link (which is direct answer to the questions 3 and implicitly for 1 and 2). To summarize answers for questions 1 and 2: seemingly on Linux there is no VM. Instead linux kernel is shared and using layered FS one can incrementally build on top of it (at this point I was confused by possibility to use different distros which share the same kernel)... – Dmitrii Semikin Jul 18 '17 at 22:18
  • Two follow up questions: 1. How kernel version matching is done? If I run docker on the host with not the latest kernel and then try to run there software which uses capabilities of the latest kerenl, what will happen? 2. Question 2 (from the original question) is still valid for windows: how many VM instances is running? Is it single instance for all Docker containers or is it new VM instance for every container? – Dmitrii Semikin Jul 18 '17 at 22:21
  • @DmitriiSemikin 1. It will break; it's running on an older kernel. 2. Generally, it's a single VM instance for all containers. – cjs Mar 23 '18 at 12:26
  • @DmitriiSemikin Actually, I've edited my answer to include more detailed answers to your follow-up questions. But it would be a good idea to edit your question to include the follow-up questions as well, so people don't miss them. – cjs May 07 '19 at 15:00
  • I found [this question](https://serverfault.com/questions/755607) and its [top answer](https://serverfault.com/a/755616/568526) helpful. – Venryx May 12 '21 at 10:43

4 Answers4

85

Docker "containers" are not virtual machines; they are just regular processes running on the host system (and thus always on the host's Linux kernel) with some special configuration to partition them off from the rest of the system.

You can see this for yourself by starting a process in a container and doing a ps outside the container; you'll see that process in the host's list of all processes. Running ps in the containerized process, however, will show only processes in that container; limiting the view of processes on the system is one of the facilities that containerization provides.

The container is also usually given a limited or separate view of many other system resources, such as files, network interfaces and users. In particular, containerized processes are often given a completely different root filesystem and set of users, making it look almost as if it's running on a separate machine. (But it's not; it still shares the host's CPU, memory, I/O bandwidth and, most importantly, Linux kernel of the host.)

To answer your specific questions:

  1. On CentOS (or any other system), all containers you create are using the host's kernel. There is no way to create a container that uses a different kernel; you need to start a virtual machine for that.

  2. The image is just files on disk; these files are "loaded into memory" in the same way any files are. So no, for any particular disk block of a file in a shared parent image there will never be more than one copy of that disk block in memory at once. However, each container has its own private "transparent" filesystem layer above the base image layer that is used to handle writes, so if you change a file the changed blocks will be stored there, and will now be separate from the underlying image that that other processes (who have not changed any blocks in that file) see.

  3. In Linux you can try man cgroups and man cgroup_namespaces to get some fairly technical details about the cgroup mechanism, which is what Docker (and any other containerization scheme on Linux) uses to limit and change what a containerized process sees. I don't have any other particular suggestions on readings directly related to this, but I think it might help to learn the technical details of how processes and various other systems work on Unix and POSIX systems in general, because understanding that gives you the background to understand what kinds of things containerization does. Perhaps start with learning about the chroot(2) system call and programming with it a bit (or even playing around with the chroot(8) program); that would give you a practical hands-on example of how one particular area of containerization.

Follow-up questions:

  1. There is no kernel version matching; only the one host kernel is ever used. If the program in the container doesn't work on that version of that kernel, you're simply out of luck. For example, try runing the Docker official centos:6 or centos:5 container on a Linux system with a 4.19 or later kernel, and you'll see that /bin/bash segfaults when you try to start it. The kernel and userland program are not compatible. If the program tries to use newer facilities that are not in the kernel, it will similarly fail. This is no different from running the same binaries (program and shared libraries!) outside of a container.

  2. Windows and Macintosh systems can't run Linux containers directly, since they're not Linux kernels with the appropriate facilities to run even Linux programs, much less supporting the same extra cgroup facilities. So when you install Docker on these, generally it installs a Linux VM on which to run the containers. Almost invariably it will install only a single VM and run all containers in that one VM; to do otherwise would be a waste of resources for no benefit. (Actually, there could be benefit in being able to have several different kernel versions, as mentioned above.)

cjs
  • 25,752
  • 9
  • 89
  • 101
  • `So when you install Docker on these, generally it installs a Linux VM on which to run the containers.`, is there a command to look for which Linux VM(kernel) docker has installed on HOST macOS or windowsOS? – Anu Apr 20 '22 at 01:40
39

Docker does not have an OS in its containers. In simple terms, a Docker container image just has a kind of filesystem snapshot of the linux-image the container image is dependent on.

The container-image includes some basic programs like bash-shell, vim-editor etc to facilitate developer to work easily with the Docker image. Also, Docker images can include pre-installed dependencies like nodeJS, redis-server etc as we can find on Docker Hub.

Docker behind the scene uses the host OS which is linux itself to run its containers. The programs included in linux-like filesystem snapshot that we see in form of Docker containers actually runs on the host OS in isolation.

The container-images may sound like different linux distros but they are the filesystem snapshot of those distros. All Linux distributions are based on the same kernel. They differ in the programs, tools and dependencies that they ships with.

Also take note of this comment [click]. It is very much relevant to this question.

Hope this helps.

TAbdiukov
  • 1,185
  • 3
  • 12
  • 25
bluelights
  • 1,086
  • 8
  • 12
  • Wrong! Docker runs on windows as well which is not linux. So, the host OS can be Windows too. – dpaks Jul 20 '20 at 05:51
  • 2
    Sorry but you are saying 'wrong' in entirely different context. Yes, It runs on windows host but the question is about wether it has a OS running inside the container or not and not outside of the container. Can you please check the link provided in the answer above? It might help you. The link will redirect you to another answer I posted. I just provided the link instead of pasting the answer here to avoid duplication. – bluelights Jul 21 '20 at 06:34
  • 1
    Read the docker container section in this paper. It is just 3 paragraphs, https://arxiv.org/pdf/1501.02967.pdf. – Harsh Nagarkar Dec 08 '20 at 07:48
  • @dpaks To run Docker on Windows you must first install the Windows Subsystem for Linux (WSL). – intrepidis Apr 18 '21 at 09:02
  • I have a follow-up question after reading your reply. If containers can use host OS resources, why bother include things such as vi/bash/etc. which are usually universal available in all Linux distros? And as containers rely on host OS, host can definitely see through it (as we can use `ps` to investigate the processes in the containers). Thanks! – Nicholas Humphrey Jun 28 '23 at 03:58
26

It's now long time since I posted this question, but it seems, like it still get hits... So I decided to answer it - in fact mainly the question, which is in the title (the questions in the text are carefully answered by Curt J. Sampson).

So, the discussion of the "main" question: if containers are not VMs, then why do we need VMs for them?

As you may guess, I am working on windows (on Linux this question would not emerge, because on Linux one does not need VMs for docker).

The reason, why we need a VM for containers in Winodows is pretty obvious (probably this is the reason, why nobody mentions it explicitly). As was already mentioned here and it many other FAQs, containers reuse kernel and some other resources of the hosting OS. Taking into account, that most of the containers available out there are based on Linux, one may conclude, that those containers need host OS to provide Linux kernel for them to run. Which is not natively easy on Windows (I am not sure, may be it is now possible with Linux subsystem). This is why on Windows we need one VM, which runs Linux and docker service inside this VM. And then, when we start the containers, they are also started inside this VM (and reuse the resources of its Linux OS). All the containers run inside the same VM. Getting a bit more technical: by default docker uses Hyper-V to run this linux VM, but one can also use Docker-Toolbox, which uses Oracle VirtualBox. By the way, VM can be freely seen in the Virtual Box interface. Nice part is that Docker (or Docker toolbox) takes care about managing this VM and we don't need to care about it.

Now some bonus question, which that time confused me even more. One may think: "Ok, it is clear now. If we run Linux container on Winodws OS, then we need Linux kernel and thus need VM with Linux. But if we run Windows container on Windows (by the way, it exists), then VM should not be needed, right?..." Answer: "wrong" (or almost wrong). :) The problem is, that the Windows based containers (at least those, which I saw) use windows server kernel, which is not available e.g. in Windows 10. Thus one still need VM with special version of Windows Server running on it. In fact MS even created special version of Windows Server, which can be run on VM for development purposes free of charge specifically to enable development of Windows-Server based containers. If my understanding is correct, those containers should be possible to run without VM on Windows Server. I should admit, that I never checked it though.

I hope, that this messy explanation may help someone to better understand the topic.

Dmitrii Semikin
  • 2,134
  • 2
  • 20
  • 25
  • Thanks for your answer. F.e. when I want a docker with postgreSQL, the dockerfile always has a FROM with debian or alpine. So it is using a Linux OS and it isn't running on the OS/kernel of the host! It is probably quicker than running a full VM, but it clearly is a lot slower than natively installing and running postgreSQL. Alright... "Containerized software will always run the same, regardless of the infrastructure" but it will NOT run on the OS/kernel of the host! And the latter is probably one of the biggest reasons why you would choose for docker or a container in the first place. – Matti VM Feb 27 '20 at 13:41
  • 4
    @MattiVM: If you want to use Docker in production in linux-based containers (which is almost always the case), then you should use Linux hosts and then containers _do_ use the resources of the host OS. In my perception use of Docker on Windows (especially non-server) is useful for development or to try some technology. Aside of this all, if you want to have really performant DB for real heavy-lifting in production, you should not use Docker, but dedicated Linux server, which only purpose is running your DB. – Dmitrii Semikin Mar 05 '20 at 09:22
  • 3
    @MattiVM: Another aspect: As was discussed above, Docker is good for sandboxing the environments without too much overhead. And it stays true even if it runs in the VM (like in Windows). E.g. if you want to run multiple containers on the same host, then you need only one VM for this - you can run all the containers inside. If you would try to arrange in with VMs, you would ultimately need separate VM to reaplace each "container", which would have significantly higher resource footprint. – Dmitrii Semikin Mar 05 '20 at 09:25
  • @DmitriiSemikin, one of the best answers that basically cleared how docker runs on non-linux kernel (Mac, Windows )! – Megha Aggarwal Nov 30 '20 at 18:05
  • How about linux containers on linux host? Apparently they rarely need even vi/bash etc. because they are generally available on the host. This confuses me. – Nicholas Humphrey Jun 28 '23 at 04:00
2

We need a VM to run a docker on the host machine ( this is achieved through the docker toolbox) if it is windows, on Linux we don't even need this. Once we have a docker toolbox container in itself doesn't need a VM, each container has a baseline image which is very minimal and reuses a lot of stuff with the host kernel hence making it lightweight compared to VM. You can run many such container using single host kernel.

Raviprajna
  • 31
  • 2