I am new to docker and I am working with developers with another company. I believe they are new to docker as well. I have one developer asking me if "I’m running the command inside or outside the docker container" or "if I am creating a new branch outside of the container".
Can someone help clarify this meaning of inside or outside of the container?
I can’t seem to understand, I searched online and I don’t seem to find anything on the term inside or outside for running commands or anything else similar.
3
Answers
Yes, it is normal (Docker uses the kernel on the host, and not its own, you will see it in
pscommand on the host.) to see the processes running "inside" the docker container in your host (if you check the running processes withtoporpscommands). Try to runpstreein that way you will see all your running processes as a child ofcontainerd.The process running inside a container is just a regular process. In most ways it is no different than a regular process running outside a container. Docker uses
namespacesandcgroupsto isolate processes from the rest of the system.Namespacesandcgroupsare abstractions that allow the kernel to isolate processes.The docker daemon is just a process that makes putting other processes inside namespaces/cgroups convenient.
A docker file is a description of what you would like Linux to look like for a specific application. That is, without anything that application doesn’t need, and all the tools and libraries it uses already installed. Specialty docker files for e.g a database or web server can be included, simplifying it the definition.
A Docker image is basically applying all the specifications from a docker file. That is, a file system is set up, and all the software specified in the docker file is installed into this file system as if it were real Linux.
A docker container is basically booting the image file, so all the start scripts are executed and there will be all the expected processes running by the time it finishes. Any software it runs will think it’s running on Linux booted on a stand-alone machine. Except everything it does only happens within the container. If a file is written, it’s written only to the container’s file system, which is a chunk of space borrowed from the actual file system.
Normally you also need to specify what should run inside the container, otherwise once it boots, it has nothing more to do, so stops. Once it stops, the memory and file space is deallocated so everything done inside disappears.
You could start a web server running a service, or a shell you can interact with, and so on. You also usually want to be able to connect to the network outside the container, read or write files outside files, and so on. You can map real world things to the container (e.g port 8080 in the container maps to port 18080 in actual Linux,
/tmp/scratchmaps to/tmp/scratchin the container, and so on).You can also start another process running in the container with the
execcommand. You can map the input and output to your terminal and startbashfor example.Finally you can stop the container, and everything inside will stop running, and all the memory and files will be deallocated.
The above two answers have done a great job in clarifying what it means when one says "inside the container". There is no such thing as "inside or outside". There is one kernel construct that you need to understand – "Namespaces".
Namespaces provide an illusion of isolation to a process or an application. They narrow the view of an application so it can see only certain resources. These resources can be other processes, files, ip addresses, etc. There are 7 types of Namespaces today (as of 2022) – each of these Namespaces helps isolate a particular resource. For example, PID Namespace restricts what other processes can be seen by a particular process or application. A Mount Namespace restricts what files a given application can see.
I have been learning about Namespaces and Cgroups recently to better understand Containers – found this great resource https://www.udemy.com/course/containers-under-the-hood that has been on tremendous help.
Highly recommend for anyone interested in getting a firm understanding of how Containers work.