The underlying technology
Docker is written in Go and makes use of several Linux kernel features to deliver the functionality we've seen.
Docker takes advantage of a technology called
namespaces to provide the isolated workspace we call the container. When you run a container, Docker creates a set of namespaces for that container.
This provides a layer of isolation: each aspect of a container runs in its own namespace and does not have access outside it.
Some of the namespaces that Docker uses are:
pidnamespace: Used for process isolation (PID: Process ID).
netnamespace: Used for managing network interfaces (NET: Networking).
ipcnamespace: Used for managing access to IPC resources (IPC: InterProcess Communication).
mntnamespace: Used for managing mount-points (MNT: Mount).
utsnamespace: Used for isolating kernel and version identifiers. (UTS: Unix Timesharing System).
Docker also makes use of another technology called
cgroups or control groups. A key to running applications in isolation is to have them only use the resources you want. This ensures containers are good multi-tenant citizens on a host. Control groups allow Docker to share available hardware resources to containers and, if required, set up limits and constraints. For example, limiting the memory available to a specific container.
Union file systems
Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker uses union file systems to provide the building blocks for containers. Docker can make use of several union file system variants including: AUFS, btrfs, vfs, and DeviceMapper.
Docker combines these components into a wrapper we call a container format. The default container format is called
libcontainer. Docker also supports traditional Linux containers using LXC. In the future, Docker may support other container formats, for example, by integrating with BSD Jails or Solaris Zones.