Use (POSIX) kernel primitives
- namespaces (PID, mount,…) https://man7.org/linux/man-pages/man7/namespaces.7.html – what you are allowed to see,
- cgroups https://man7.org/linux/man-pages/man7/cgroups.7.html – resources you are allowed to use and,
- LSM (Linux Security Modules) https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/index.html – what you are allowed to do.
All these build the environment, bundles as container, too
- secure,
- isolate and,
- span execution environments
for processes put into a runtime – the container runtime. The term “runtime” refers to the fact, that the lifecycle of something is managed. Here the lifecycle of the specific containerized processes are managed.
H I S T O R Y: One of the first container managed approaches was LXC – the Linux Containers. Docker dropped LXC, created the “Open Container Initiative” (OCI) behind the libcontainer project.
R E A L I T Y: Conceptually two categories of container runtimes exist
- Open Container Initiative (OCI) runtimes, e.g. “runC”, as “low-level” runtimes and,
- Container Runtime Interface (CRI), e.g “containerd” and “Kubernetes” (overall called the “kublets”, with additional concerns such as image management, snapshotting, etc.
But what the hell is “Docker”? Simply both in one, also called a “Container Engine”. On top specific “Container Tools” help to perform specific tasks:
- podman – image running
- buildah – image building
- skopeo – image distribution