From Virtualization to Containers: A Complete Journey Through Container Technology

Introduction

Containers are a lightweight virtualization technology that packages an application together with all its dependencies and configuration, providing a consistent and portable execution environment across development, testing, and production.

Key Characteristics

Cross‑platform compatibility

Consistent and repeatable behavior across environments

Resource isolation via Linux namespaces and cgroups

Fast startup and deployment

Horizontal scalability

Environment isolation (filesystem, network, PID, etc.)

Efficient resource usage compared with full VMs

Native integration with CI/CD pipelines

Evolution Timeline

1979  Unix v7 introduced chroot for isolated filesystem views.</code><code>1999  FreeBSD 4.0 added jail, an early commercial OS‑level virtualization.</code><code>2004  Solaris 10 released Zones.</code><code>2005  OpenVZ launched as a Linux OS‑level virtualization.</code><code>2004‑2007  Google internally used cgroups for large‑scale containerization.</code><code>2006  Google open‑sourced its process‑container technology (later renamed cgroup).</code><code>2008  cgroups merged into the mainline Linux kernel.</code><code>2008  LXC project created the first Linux container prototype.</code><code>2011  CloudFoundry developed Warden, an early container manager.</code><code>2013  Google open‑sourced LMCTFY; Docker was officially released.</code><code>2014  Kubernetes was released, coupling orchestration with containers.</code><code>2015  CNCF founded to promote cloud‑native ecosystems.</code><code>2016‑2017  Containerd, rkt, OCI 1.0, and CRI/CNI matured.</code><code>2017‑2018  Commercial container services (AWS ECS, Google EKS, Alibaba ACK, etc.) launched.</code><code>2017‑2019  Security‑focused runtimes such as Kata Containers, gVisor, and Firecracker appeared.</code><code>2020‑present  Continued evolution of container engines (Kata 2.0, Alibaba sandbox containers 2.0, etc.).

Core Linux Mechanisms

cgroups

Control Groups (cgroups) allow fine‑grained limiting, accounting, and isolation of CPU, memory, I/O, and other resources for a group of processes. Typical uses include resource quotas, priority control, and dynamic resource management.

Namespaces

Linux namespaces provide isolation of system resources such as process IDs, network stacks, mount points, user IDs, and hostname, giving each container its own view of the kernel.

Docker Overview

Docker, launched in 2013, implements the “Build, Ship and Run Any App, Anywhere” vision. Major milestones include DockerCon 2015 promoting the OCI standards, the open‑sourcing of runc in 2015, and the graduation of containerd to a CNCF project in 2017.

Container Runtimes

Runtimes are divided into:

Low‑level runtimes (e.g., runc, kata) that handle namespaces, cgroups, and image unpacking.

High‑level runtimes (e.g., containerd, cri‑o) that provide image management, networking, and OCI compliance. Kubernetes communicates with any OCI‑compatible runtime via the CRI shim.

containerd Architecture

containerd is a high‑level runtime composed of modular plugins (content, snapshot, metadata, runtime, etc.). Its lifecycle includes:

Pulling images from a registry.

Storing image layers in the content store.

Creating a snapshot (filesystem) for the image.

Assembling a bundle (configuration, rootfs, metadata).

Delegating execution to a low‑level runtime such as runc.

Key plugin types are:

Content Plugin – immutable storage of image blobs.

Snapshot Plugin – management of filesystem snapshots for containers.

Metadata Plugin – tracking of containers, images, and snapshots.

OCI Standards

The Open Container Initiative defines three specifications:

runtime‑spec – describes container execution environment, lifecycle, and required kernel features (namespaces, cgroups, pivot_root, etc.).

image‑spec – defines the on‑disk image format, configuration, and layer metadata.

distribution‑spec – standardizes image push/pull protocols.

Reference implementations include opencontainers/runc, kata‑containers/runtime, and google/gvisor.

Secure Containers

Traditional runc -based containers share the host kernel, exposing escape risks. Kata Containers combine VM‑level isolation with container performance, integrating with containerd and Kubernetes via the CRI.

Container Orchestration

Orchestration automates deployment, scaling, and management of containerized workloads. Major platforms are Mesos, Docker Swarm, and Kubernetes, with Kubernetes prevailing due to its open‑source community, standardization (OCI/CRI), extensive ecosystem, and broad adoption.

References

https://cloud.tencent.com/developer/article/1496919

https://cloud.tencent.com/developer/article/2327479?areaId=106001

https://developer.aliyun.com/article/775778

https://developer.aliyun.com/article/981453

https://developer.aliyun.com/article/1007365

https://blog.frognew.com/2021/05/relearning-container-08.html