Docker: Background, Core Technologies, and Recent Projects Overview

1. Background

1.1 From PaaS to Containers

In February 2013, former Gluster CEO Ben Golub and dotCloud CEO Solomon Hykes discussed open‑sourcing the container technology used internally at dotCloud, leading to the creation of Docker. Solomon discovered that Linux Containers (LXC) could free developers from complex deployment tasks and enable system engineers to focus on scaling and stable releases, marking a shift in cloud technology.

1.2 Docker Overview

Docker is an open‑source container engine built on LXC, hosted on GitHub, written in Go, and released under the Apache 2.0 license. Since DockerConf 2014, major companies such as IBM, Google, and Red Hat have supported it, and platforms like Google Compute Engine and Baidu App Engine run Docker containers.

Docker aims to solve several problems:

1) Complex environment management – Docker packages web, backend, database, and big‑data applications (e.g., Hadoop) into portable images.

2) Cloud computing era – Docker complements services like AWS by simplifying software configuration and management.

3) Virtualization inefficiencies – Containers avoid the overhead of full guest OSes, offering lightweight isolation.

4) LXC portability – Docker adds standardization and portability to LXC‑based environments.

1.3 Docker Hello World

Example on a Fedora 20 host:

$ sudo yum -y install docker-io

Start the Docker daemon:

$ sudo systemctl start docker

Run the first Hello World container:

$ sudo docker run -i -t fedora /bin/echo hello world
Hello world

2. Core Technology Preview

Docker’s core relies on operating‑system‑level virtualization, which can be described through four aspects: isolation, quota, measurability, portability, and security.

2.1 Isolation – Linux Namespaces

Namespaces separate containers from each other. Key namespaces include pid, net, ipc, mnt, uts, and user, each providing isolation for processes, networking, inter‑process communication, file‑system mounts, hostnames/domain names, and user/group IDs.

Examples:

pid namespace : isolates process IDs, allowing nested Docker‑in‑Docker scenarios.

net namespace : gives each container independent network devices, IP addresses, and routing tables, typically connected to the host via a veth pair and the docker0 bridge.

ipc namespace : isolates IPC resources (semaphores, message queues, shared memory) while still using the host’s kernel.

mnt namespace : provides per‑container view of the file system, similar to chroot but with isolated mount points.

uts namespace : gives each container its own hostname and domain name.

user namespace : allows containers to map to distinct user and group IDs.

2.2 Quota/Measurement – Control Groups (cgroups)

cgroups enable resource limiting and accounting. By creating a directory under /cgroup and writing process IDs to the tasks file, one can control resources across nine subsystems: blkio, cpu, cpuacct, cpuset, devices, freezer, memory, net_cls, and ns.

2.3 Portability – AUFS

AUFS (Another Union FS) is a union file system that layers multiple directories into a single virtual file system. It supports read‑only and read‑write branches, allowing Docker images to be built as a stack of layers where modifications are written only to the top writable layer, enabling efficient sharing of read‑only layers among containers.

Typical Linux boot involves a read‑only bootfs and a mutable rootfs . Docker loads the rootfs as read‑only, then mounts a writable layer on top using AUFS, forming the container’s runtime view. Images correspond to the read‑only layers, while the writable layer holds container‑specific changes.

2.4 Security – AppArmor, SELinux, GRSEC

Docker’s security combines kernel namespaces and cgroups, the Docker daemon’s security API, and Linux hardening solutions such as AppArmor and SELinux. Detailed security mechanisms are documented in the official Docker documentation.

3. Recent Sub‑Projects

Notable Docker community projects include:

Libswarm : an API to unify networking interfaces for distributed systems, aiming to abstract various service‑discovery solutions.

Libchan : a low‑level network library that underpins Libswarm, offering lightweight, Docker‑optimized messaging similar to ZeroMQ.

Libcontainer : the core component of Docker responsible for container management, frequently updated with new features.

4. Summary

Docker continues to address technical challenges in cloud computing by providing a lightweight, portable, and secure container platform. Readers are encouraged to experiment with Docker in their own environments to fully appreciate its value in modern cloud‑native architectures.

5. Author Biography

Xiao Deshi, Red Hat Engineering Service/HSS internal tools team lead, lead developer of the open‑source Node.js project nodejs‑cantas, initiator of the Rails Starter course, maintainer of the rubygem lazy_high_charts, and active contributor to the open‑source community.

6. References

https://tiewei.github.io/cloud/Docker-Getting-Start/

http://docs.docker.com/articles/

http://www.slideshare.net/shykes/docker-the-road-ahead

http://www.centurylinklabs.com/meet-docker-ceo-ben-golub/

http://lwn.net/Articles/531114/

http://en.wikipedia.org/wiki/Aufs

http://docs.docker.io/en/latest/terms/filesystem/

http://docs.docker.io/en/latest/terms/layer/

http://docs.docker.io/en/latest/terms/image/

http://docs.docker.io/en/latest/terms/container/

https://stackoverflow.com/questions/17989306/what-does-docker-add-to-just-plain-lxc

(Source: infoQ)