Learn/

Containers

Five lessons covering how containers work under the hood.

How containers work (they are isolated processes, not virtual machines — namespaces, cgroups, and union filesystems combine to create the illusion of a separate machine), namespaces (the Linux kernel feature that gives each container its own view of PIDs, networks, mounts, and users), cgroups (resource limits and accounting — CPU, memory, I/O, and the OOM killer), container images (layered filesystems, the OCI specification, and how registries distribute images), and container networking (bridge networks, veth pairs, port mapping, and DNS resolution).

Containers are not magic. They are a combination of existing kernel features — namespaces, cgroups, and overlayfs — packaged into a convenient runtime. Understanding what happens beneath docker run explains why containers start in milliseconds, why they share the host kernel, and why isolation is not the same as security. The glossary defines every term. The FAQ answers common questions.

Lessons

1How Containers Work — Process Isolation, Not Virtual Machines2How Namespaces Work — Process Isolation in Linux3How Cgroups Work — Resource Limits and Accounting4How Container Images Work — Layers, OCI Spec, and Registries5How Container Networking Works — Bridges, Veth Pairs, and Port Mapping6Containers FAQ

Glossary

What is a ContainerWhat is an ImageWhat is a LayerWhat is a NamespaceWhat is a CgroupWhat is the OCIWhat is a DockerfileWhat is a RegistryWhat is a VolumeWhat is a Bind MountWhat is a Bridge NetworkWhat is a Veth PairWhat is OverlayfsWhat is a Container RuntimeWhat is runcWhat is containerdWhat is a PodWhat is OrchestrationWhat is a Health CheckWhat is Entrypoint vs Cmd