Does a container have an OS inside? Do you always need an image to run a container? What happens when you build a container image? Are containers really just Linux processes, or a Virtual Machine can also be a container sometimes? Find answers to these and not only questions in the series!
Debunking Container Myths
Not Every Container Has an Operating System Inside
Not every container has an operating system inside, but every one of them needs your Linux kernel.
Before going any further it's important to understand the difference between a kernel, an operating system, and a distribution.
- Linux kernel is the core part of the Linux operating system. It's what originally Linus wrote.
- Linux OS is a combination of the kernel and a user-land (libraries, GNU utilities, config files, etc).
- Linux distribution is a particular version of the Linux operating system like Debian or CentOS.
To be technically accurate, the title of this article should have sounded something like Does container image have a whole Linux distribution inside? But I find this wording a bit boring for a title 🤪
You Don't Need an Image To Run a Container
As we already know, containers are just isolated and restricted Linux processes. We also learned that it's fairly simple to create a container with a single executable file inside starting from scratch image (i.e. without putting a full Linux distribution in there). This time we will go even further and demonstrate that containers don't require images at all. And after that, we will try to justify the actual need for images and their place in the containerverse.
You Need Containers To Build Images
You need containers to build images. Yes, you've heard it right. Not another way around.
For people who found their way to containers through Docker (well, most of us I believe) it may seem like images are of somewhat primary nature. We've been taught to start from a Dockerfile, build an image using that file, and only then run a container from that image. Alternatively, we could run a container specifying an image from a registry, yet the main idea remains - an image comes first, and only then the container.
But what if I tell you that the actual workflow is reverse? Even when you are building your very first image using Docker, podman, or buildah, you are already, albeit implicitly, running containers under the hood!
Containers Aren't Linux Processes
There are many ways to create containers, especially on Linux and alike. Besides the super widespread Docker implementation, you may have heard about LXC, systemd-nspawn, or maybe even OpenVZ.
The general concept of the container is quite vague. What's true and what's not often depends on the context, but the context itself isn't always given explicitly. For instance, there is a common saying that containers are Linux processes or that containers aren't Virtual Machines. However, the first statement is just an oversimplified attempt to explain Linux containers. And the second statement simply isn't always true.
In this article, I'm not trying to review all possible ways of creating containers. Instead, the article is an analysis of the OCI Runtime Specification. The spec turned out to be an insightful read! For instance, it gives a definition of the standard container (and no, it's not a process) and sheds some light on when Virtual Machines can be considered containers.
From Docker Container to Bootable Linux Disk Image
Well, I don't see any practical applications of the approach I'm going to describe... However, I do think that messing about with things like this is the only way to gain extra knowledge of any system internals. We are going to speak Docker and Linux here. What if we want to take a base Docker image, I mean really base, just an image made with a single line Dockerfile like
FROM debian:latest, and convert it to something launchable on a real or virtual machine? In other words, can we create a disk image having exactly the same Linux userland a running container has and then boot from it? For this we would start with dumping container's root file system, luckily it's as simple as just running
docker export, however, to finally accomplish the task a bunch of additional steps is needed...
UPD: Seems like there is some practicality in the approach after all! 👉 github.com/linka-cloud/d2vm.
Don't miss new posts in the series! Subscribe to the blog updates and get deep technical write-ups on Cloud Native topics direct into your inbox.