So, now that you understandwhy we need Docker, and, at a high level, how to work with Docker, let’s turn our attention to what a Docker container and image actually are.
Docker is based on Linux Containers (LXC), a containerization technology built into Linux. LXC itself relies on two Linux kernel mechanisms –control groups and namespaces. So, let's briefly examine each one in more detail.
Control groups (cgroups) separate processes by groups, and attach one or more subsystems to each group:
The subsystem can restrict the resource usage of each attached group. For example, we can place our application's process into the foo cgroup, attach the memory subsystem to it, and restrict our application to using, say, 50% of the host’s memory.
There are many different subsystems, each responsible for different types of resources, such as CPU, block I/O, and network bandwidth.