Traditional Virtualization vs Docker Containers: Core Technologies Explained

Traditional Virtualization vs Docker Container Technology

1. Traditional virtualization

Traditional virtualization creates multiple virtual machines on a host, each installing an independent operating system and running applications in separate kernel and user spaces.

2. Docker container technology

Containers share the host’s hardware and kernel, isolating only the user space to create multiple isolated environments. This user‑space isolation provides higher resource efficiency because each container does not require a full operating system, resulting in lower resource consumption and faster creation and migration.

Difference: KVM and Xen isolate both kernel and user space, while containers share a single kernel and isolate only the user space.

Core Technologies Used by Containers

NameSpace: Resource Isolation Mechanism

Kernel‑level environment isolation similar to the chroot mechanism.

PID Namespace (Linux 2.6.24): Isolates process IDs, allowing each container to have its own independent PID space.

Network Namespace (Linux 2.6.29): Isolates network devices, stacks, and ports for each container.

User Namespace (Linux 3.8): Isolates user and group IDs, enabling containers to have separate user mappings.

IPC Namespace (Linux 2.6.19): Isolates inter‑process communication resources such as semaphores, message queues, and shared memory.

UTS Namespace (Linux 2.6.1): Isolates hostname and domain name.

Mount Namespace (Linux 2.4.19): Isolates mount points, providing separate filesystem views for each container.

APIs Used to Manipulate Namespaces

These system calls allow processes to request namespace operations.

clone()

: Creates a new thread or process with specified namespace flags. setns(): Assigns a process to an existing namespace. unshare(): Detaches a process from its current namespace, creating a new one.

CGroup (Linux Control Group)

Since a single namespace cannot limit CPU or memory usage, CGroup (Linux 2.6.24) provides kernel‑level resource control for groups of processes.

CGroup limits, prioritizes, accounts for, and controls resources for a set of processes, preventing one user space from exhausting the entire server.

Combining CGroup with namespaces enables full container functionality.

CGroup Functions

Resource limitation

Prioritization

Accounting (usage statistics and billing)

Control (suspend and resume tasks)

CGroup Subsystems

Use lssbusys -m to view subsystems; cgroups are organized as a single root tree under /sys/fs/cgroup .

blkio – block device I/O limits

cpu – CPU scheduling and limits

cpuacct – reports CPU usage

cpuset – assigns specific CPUs and memory nodes

memory – memory usage limits

device – controls device access

freezer – suspends or resumes tasks

net_cls – tags network packets for traffic control

perf_event – collects performance events per task

hugetlb – limits usage of huge pages

AUFS: UnionFS

UnionFS merges directories from different physical locations into a single directory; only the topmost layer is writable. When reading, the last merged file is visible if duplicates exist; when writing, changes are made to the top layer.

Read behavior: duplicate files – only the last one is seen; unique files – all are visible.

Write behavior: only the top layer is writable; modifications create a new file in the top layer.

Docker heavily relies on AUFS; without AUFS it is not recommended for production. CentOS lacks AUFS support, while Ubuntu provides it.

Device Mapper

Introduced in Linux 2.6, the device mapper provides a generic device‑mapping framework for logical volumes.

Mapped Device – the virtual device presented to the system.

Mapping Table – defines the relationship between virtual and physical devices.

Target Device – the underlying physical device.