# Intro to Docker

## Containers

Historically, UNIX-style operating systems have used the term jail to describe a modified
runtime environment that limits the scope of resources that a jailed program can access.
Jail features go back to 1979 and have been in evolution ever since. In 2005, with the
release of Sun’s Solaris 10 and Solaris Containers, container has become the preferred
term for such a runtime environment. The goal has expanded from limiting filesystem
scope to isolating a process from all resources except where explicitly allowed.

> Uporaba kontejnerjev je bila težavna, Docker to poenostavi 

Using containers has been a best practice for a long time. But manually building
containers can be challenging and easy to do incorrectly. This challenge has put them
out of reach for some. Others using misconfigured containers are lulled into a false
sense of security. This was a problem begging to be solved, and Docker helps. Any software
run with Docker is run inside a container. Docker uses existing container
engines to provide consistent containers built according to best practices. This puts
stronger security within reach for everyone.

With Docker, users get containers at a much lower cost. Running the example in
section 1.1.1 uses a container and does not require any special knowledge. As Docker
and its container engines improve, you get the latest and greatest isolation features.
Instead of keeping up with the rapidly evolving and highly technical world of building
strong containers, you can let Docker handle the bulk of that for you.

### Containers are not virtualization

In this cloud-native era, people tend to think about virtual machines as units of
deployment, where deploying a single process means creating a whole networkattached
virtual machine. Virtual machines provide virtual hardware (or hardware on
which an operating system and other programs can be installed). They take a long
time (often minutes) to create and require significant resource overhead because they
run a whole operating system in addition to the software you want to use. Virtual
machines can perform optimally once everything is up and running, but the startup
delays make them a poor fit for just-in-time or reactive deployment scenarios.

Unlike virtual machines, Docker containers don’t use any hardware virtualization.
**Programs running inside Docker containers interface directly with the host’s Linux
kernel.** Many programs can run in isolation without running redundant operating systems
or suffering the delay of full boot sequences. This is an important distinction.
Docker is not a hardware virtualization technology. Instead, it helps you use the container
technology already built into your operating system kernel.

Virtual machines provide hardware abstractions so you can run operating systems.
Containers are an operating system feature. So you can always run Docker in a virtual
machine if that machine is running a modern Linux kernel. Docker for Mac and Windows
users, and almost all cloud computing users, will run Docker inside virtual
machines. So these are really complementary technologies.

### Running software in containers for isolation

Containers and isolation features have existed for decades. Docker uses Linux namespaces
and cgroups, which have been part of Linux since 2007. **Docker doesn’t provide
the container technology, but it specifically makes it simpler to use.**

A basic computer stack running two programs that were started from the
command line

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig03_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig03_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-3.png" class="medium-zoom-image">

Notice that the command-line interface, or CLI, runs in what is called user space memory,
just like other programs that run on top of the operating system. Ideally, programs
running in user space can’t modify kernel space memory. Broadly speaking, the operating
system is the interface between all user programs and the hardware that the
computer is running on.

You can see in figure 1.4 that running Docker means running two programs in
user space. The first is the Docker engine. If installed properly, this process should
always be running. The second is the Docker CLI. This is the Docker program that
users interact with. If you want to start, stop, or install software, you’ll issue a command
by using the Docker program.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig04_alt.jpg" image-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/Figures/01fig04_alt.jpg" onerror="fallbackToImageSrcPlaceholder(this)" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/nickoloff2/HighResolutionFigures/figure_1-4.png" class="medium-zoom-image">

Figure 1.4 also shows three running containers. Each is running as a child process
of the Docker engine, wrapped with a container, and the delegate process is running
in its own memory subspace of the user space. Programs running inside a container
can access only their own memory and resources as scoped by the container.

Docker builds containers using 10 major system features. Part 1 of this book uses
Docker commands to illustrate how these features can be modified to suit the needs
of the contained software and to fit the environment where the container will run.
The specific features are as follows:
- PID namespace—Process identifiers and capabilities
- UTS namespace—Host and domain name
- MNT namespace—Filesystem access and structure
- IPC namespace—Process communication over shared memory
- NET namespace—Network access and structure
- USR namespace—User names and identifiers
- chroot syscall—Controls the location of the filesystem root
- cgroups—Resource protection
- CAP drop—Operating system feature restrictions
- Security modules—Mandatory access controls

Docker uses those to build containers at runtime, but it uses another set of technologies
to package and ship containers.

### Shipping containers

You can think of a Docker container as a physical shipping container. It’s a box where you
store and run an application and all of its dependencies (excluding the running operating
system kernel). Just as cranes, trucks, trains, and ships can easily work with shipping
containers, so can Docker run, copy, and distribute containers with ease. Docker completes
the traditional container metaphor by including a way to package and distribute
software. The component that fills the shipping container role is called an image.

More generally, a Docker image is a bundled snapshot of all the files that should be available to a program
running inside a container. You can create as many containers from an image as
you want. But when you do, containers that were started from the same image don’t
share changes to their filesystem. When you distribute software with Docker, you distribute
these images, and the receiving computers create containers from them.
**Images are the shippable units in the Docker ecosystem.**

Docker provides a set of infrastructure components that simplify distributing
Docker images. These components are registries and indexes. You can use publicly available
infrastructure provided by Docker Inc., other hosting companies, or your own
registries and indexes.