Master Docker: From Basics to Deep Dive on Isolation, Images, and Resource Management

Docker Background

Docker offers a lightweight virtualization solution that keeps development and production environments consistent by version‑controlling the runtime environment.

Problems Docker Solves

Backend development and operations often struggle with environment drift; Docker packages the entire execution environment, eliminating discrepancies between dev and prod.

Docker vs. Virtual Machines

Virtual machines isolate resources by running a full guest OS on a hypervisor. Docker, by contrast, leverages Linux namespaces, cgroups, and layered image filesystems to provide process‑level isolation without the overhead of a separate OS.

Docker Resource Isolation

Namespace Isolation

When a container starts, Docker creates separate namespaces for processes, users, networks, IPC, and UTS, ensuring each container has its own isolated view of system resources.

The container’s process tree begins with the init process (PID 1) and the kernel thread kthreadd (PID 2), both created by the kernel’s idle process.

Network Isolation

Docker provides four network modes: host, container, none, and bridge (default). In bridge mode Docker creates a virtual bridge docker0 and assigns each container an IP address.

When a container exposes a service, Docker adds an iptables rule to forward traffic from the host IP to the container’s IP.

The networking stack is implemented by libnetwork, which defines three core components: Sandbox, Endpoint, and Network.

File System Isolation

Docker creates a new mount namespace (CLONE_NEWNS) so the container gets a copy of the host’s mount points; without this flag, file operations would affect the host.

It then changes the root directory of the container using pivot_root or chroot, providing an isolated rootfs for all processes.

Physical Resource Isolation

Namespaces do not limit CPU, memory, or I/O. Docker uses Linux Control Groups (cgroups) to constrain these physical resources.

Each cgroup groups processes with shared limits; hierarchies allow inheritance of resource constraints.

Typical cgroup files include cpu.cfs_quota_us for CPU limits and a tasks file listing member PIDs.

$ lssubsys -m

Docker Images

An image is a read‑only file that mirrors a Linux root filesystem. Each Dockerfile instruction adds a new read‑only layer.

FROM ubuntu:15.04

When a container runs, Docker adds a writable top layer. Multiple containers can share the same underlying image layers.

Storage Drivers

Docker’s storage drivers manage how layers are stored. The common drivers are aufs and overlay2. Modern Docker defaults to overlay2, falling back to aufs when unavailable.

docker info | grep Storage

aufs

stores each layer under /var/lib/docker/aufs/diff/ and metadata under /var/lib/docker/aufs/layers/. overlay2 merges layers using the overlay filesystem.

Practical Docker Commands

Inspecting Configuration

Use docker inspect to retrieve low‑level JSON data about objects. docker inspect -f '{{.Mounts}}' application To view a container’s IP address:

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' application

File Transfer

Copy from host to container:

docker cp <host_path> <container_id>:<container_path>

Copy from container to host:

docker cp <container_id>:<container_path> <host_path>

Transfer files between remote hosts using scp (e.g., scp -P 22 user@host:/remote/file /local/path).

Packaging Images

Commit a running container to a new image:

docker commit ${container_name} ${namespace}/${image_name}:${image_version}

Ensure ${namespace} matches your remote registry namespace.

Push the image to a remote registry (login first if needed):

# docker login
# docker push ${namespace}/${image_name}:${image_version}