Understanding Docker’s Core Technologies: Principles, Mechanisms, and Real‑World Cases
The article breaks down Docker’s essential kernel features—Namespaces for isolation, Cgroups for resource limits, UnionFS for layered copy‑on‑write filesystems, and Capabilities for fine‑grained privilege control—illustrating each with clear explanations and a practical command example.
Docker is a cornerstone of cloud computing, and this article provides a focused walkthrough of its core kernel technologies.
Namespace determines “what you see”. It isolates resources such as process IDs, mount points, network interfaces, hostnames, inter‑process communication, and user IDs. Specifically, PID Namespace hides host processes, Mount Namespace presents a private root filesystem, Network Namespace isolates devices, IPs, routes, and ports, UTS Namespace separates hostname and domain name, IPC Namespace isolates communication resources, and User Namespace maps container UIDs/GIDs to different host IDs.
Cgroups control “how much you can use”. They limit CPU, memory, disk I/O, and network bandwidth for container processes. The CPU subsystem can restrict usage rate, core count, and weight (e.g., --cpus=0.5). The Memory subsystem caps memory and swap (e.g., --memory=512m) and may trigger the OOM Killer if exceeded. The BlkIO subsystem caps read/write speed and IOPS, while the network subsystem (via net_cls etc.) can be combined with other tools to limit bandwidth. An example command demonstrates these limits: docker run -m 512m --cpus=1 nginx This runs an Nginx container with a maximum of 512 MB memory and one CPU core.
UnionFS answers “how the filesystem is shared and independent”. Docker images are lightweight and reusable thanks to UnionFS implementations such as Overlay2 or AUFS. Its key features are layering and copy‑on‑write (CoW). An image consists of multiple read‑only layers stacked together—e.g., a base Ubuntu layer, a Java runtime layer, and an application layer. When a container runs, Docker adds a writable layer on top. Any file modification triggers CoW: the file is copied from the read‑only layer to the writable layer before being changed, preserving the original image and enabling fast container startup.
Capability defines “what you can do”. It breaks the all‑powerful root privileges into a set of fine‑grained capabilities. Docker can drop unnecessary capabilities from a container, reducing the potential impact of a compromised process on the host system.
Architect Chen
Sharing over a decade of architecture experience from Baidu, Alibaba, and Tencent.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.