The Container is a Lie!

Presented by Larry Garfield (@Crell)

Larry Garfield


Larry implements Huggable



Docker uses containers, but that's not what containers are.
Containers are all lies

The first lie



Operating System

  • Linux
  • Windows
  • OS X
Software that manages software


  • Coordinates with CPU
  • Manages "context switching"
  • Swap out Program Counter

Operating system

Multiple cores?

Multiple threads?

Multiple Program Counters!


Processes are an ID, code stream, PC, and memory block


  • Know about each other
  • Communicate with each other
  • Get the same system info from OS
  • Spawn new processes
  • Exist in a hierarchy

Virtual memory

A computer also contains memory



What if I told you we could tell different lies to different processes.


Linux specific stuff follows
  • Linux can tell different lies
  • Bundle processes together
  • Different lie for each bundle

UTS Namespace

The UTS namespace gives different sets of processes different hostnames

sethostname(), setdomainname(), and uname()

Process Namespace

The PID namespace segments processes so they have a different keyspace, and 2 PIDs each.

What about /proc?

Mount Namespace

  • super-chroot
  • New "root node"
  • File systems can be an image on disk

Mount Namespace

The mount namespace gives different processes different views on the file system.

Network namespace

Physical devices

  • Physical hardware
  • Cannot be namespaced

Virtual devices

  • More lies!
  • Only one namespace
  • Can create in pairs

Network namespace

The network namespace lets multiple virtual devices appear as the same device to different processes.

User namespace

Processes have user and group

Affects access control

User namespace

  • Namespace-local user
  • Map local user to global user
  • ... even root

User namespace

The user namespace lets processes be a different user within a given scope.

Control Groups

The CGroup is not a lie!

Scheduler tweaking

Control Group hierarchy

  • Separate from process hierarchy
  • Nodes with "controllers"
  • Tracking, auditing, capping

Control Groups

Control groups portion out fixed resources.

Can you use multiple namespaces?


Use all the namespaces!

All namespaces together!

Set of processes that...

  • Know of only each other
  • Have a root user
  • Have their own file tree
  • Have their own network config
  • Have their own hostname
  • Have no way out of that box
  • Have a restricted finite set of resources

If processes are that isolated, is that any different than having their own computer?

Let's call it a "Container"

Coarser APIs


Read-only containers

  • Load once, run multiple
  • No write collisions
  • Trivial overhead

Run anywhere?

Containers can't just run anywhere; they're specific to a container library


Static compiler for your entire system

A tale of two containers

  • Docker

  • Built on LXC
  • Nested Squashfs
  • Integrated orchestration


A production file system is built from pieces
  • Base OS squashfs
  • Application squashfs
  • RAMdisk for config
  • Network mounted user files

Few processes

$ ps axf
   1 ?        Ss     0:06 init [2]
  72 ?        Ss     0:06 runsvdir -P /etc/service log: .................................................................
  78 ?        Ss     0:00  \_ runsv ssh
 105 ?        S      0:00  |   \_ /usr/sbin/sshd -D
2516 ?        Ss     0:00  |       \_ sshd: web [priv]
2518 ?        S      0:00  |           \_ sshd: web@pts/0
2519 pts/0    Ss     0:00  |               \_ -bash
2605 pts/0    R+     0:00  |                   \_ ps axf
  79 ?        Ss     0:00  \_ runsv nginx
  99 ?        S      0:00  |   \_ nginx: master process /usr/sbin/nginx -g daemon off; error_log /var/log/error.log; -c /
 104 ?        S      0:00  |       \_ nginx: worker process
  80 ?        Ss     0:00  \_ runsv newrelic
  81 ?        Ss     0:00  \_ runsv app
  89 ?        Ss     0:22      \_ php-fpm: master process (/etc/php/7.2-zts/fpm/php-fpm.conf)

Cluster is the unit of deployment

The same setup applies across all containers in a cluster


  • Layered filesystem
  • No init process
  • Optimized for 1 process

Docker layered filesystem

Docker's file system is layered

Different uses, different trade-offs

Enjoy your lies

  • All software is built on lies
  • Embrace them!
  • Cloud computing is a multi-layered lie


Containers are lies!


Larry Garfield


Director of Developer Experience

The end-to-end web platform for agile teams

Stalk us at @PlatformSH

Buy my book!

Cover of Thinking Functionally in PHP