The What, Why and How of Containers
Control groups are a mechanism in Linux that allows to control which how much of the system resources a process (and it’s child processes) can use.
It wasn’t originally meant for virtualisation, but rather as a system to avoid processes fighting over hardware, and to implement quotas. It however turned out to be very useful when it came to implement containers.
Namespaces allow to isolate processes within the namespace from the rest with regard to a specific global resource such as mount points, process ids, user ids, interprocess communication, networking or time.
But more crucially they also allow to isolate across cgroups, giving the illusion of being alone on the system.
With those mechanisms (chroot, cgroups and namespaces) in place creating a container is conceptually relatively simple:
• First you populate the subtree that your container will have access too, ready to be chroot’ed in
• Then you create namespaces for all you need to isolate (this usually includes at least PID, UID, mountpoints and cgroups)
• Finally you run your containerized process within your namespaces, chroot’ed to its subtree