VMs, Containers, and Processes
By now, almost all public cloud vendors offer a container strategy, so what is it that makes containers so popular?
To see the value of containers, we should look at some of the most common challenges with application development and application life cycle. Customers have repeatedly asked for guidance on how to handle environmental differences, how to make environments portable, how to increase the density of running services on one machine, and how to isolate services. Containers are the right tool to solve these issues.
Containers enable us to slice up an operating system so that we can securely run multiple applications on a single operating system. If we want to run five applications or services on an operating system we would create five containers. Each container has its own isolated view of things like network stack, filesystem, process tree, and so on. For example, every container on an operating system gets its own root directory (/), its own eth0 network interface, its own PID 0. Each container is unaware that there are other containers sharing the same operating system. To achieve this, Linux leverages a couple of kernel features: namespaces and control groups. Namespaces enable the different components of the operating system to be sliced up and thus create isolated workspaces. Control groups then enable fine-grained control of resource utilization, effectively preventing one container from hogging all system resources. They achieve this by partitioning CPU time, system memory, disk bandwidth, and network bandwidth into groups and assigning tasks to it. We also might want to monitor resource consumption for any application assigned to a control group. Chapter 7 covers monitoring in more detail.
As a result, we can think of containers as encapsulated, individually deployable components running as isolated instances on the same kernel that is leveraging operating system level virtualization. This means each applications, its runtime, dependencies, system libraries, and so on, running inside a container has full, private access to its own isolated view of operating system constructs.
From a developer point of view, we can just package our application and dependencies into a container and deploy it to any environment that supports containers. By doing this we also make our application easy to update and upgrade, as well as easily portable from one environment to another. For example, a container can make an application easily portable from a development environment on the desktop, to a test environment in the cloud, and then to an on-premises production environment.
There are multiple container technologies available, but over the last two years Docker has emerged as the de facto standard. For the remainder of this book, we will focus on Docker containers.