Linux Containers (LXC)

LXC is an OS-level virtulization method, combining the single host kernel cgroups to provide isolated environments for applications, allowing running multiple isolated Linux systems (the containers).

The cgroups functionality provides limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) and namespace isolation (process trees, network, user IDs and mounted FS).

Writing Dockerfiles

In a directory, the special Dockerfile defines a receipe to build the image, as a succession of instructions defining a step in the build process. The FROM instruction targets a base image to use as prior, a common linux distribution for this is Alpine. Version can be specified after colon, for example: FROM alpine:3.14. The ADD and COPY instructions are closely related, can often be changed interchangeably, the former providing additional remote fetching capabilities, the latter to be preferred for straight-forward host-to-image file transfer. The ENTRYPOINT instruction specifies binaries to execute afterwards. A common value is ENTRYPOINT ["/bin/sh"], to open a shell immediately in the container.

Virtual Machines and Emulators

Emulerators (e.g. QEMU) is used in conjunction with a Kernel-based Virtual Machine (KVM) to support running multiple isolated VMs and binaries hardware-agnosticly.

Virtual Machine (VM)
A software implemention of a virtual computer on top of an underlying physical computer, the host.
Hypervisor
Software layer that supports and monitor many concurrent OS VMs running on the host machine. It manages and distributes physical resources to share among the VMs.
Emulator, QEMU
An emulator translates binary to emulate the processor, transiting the emulated binary codes to the machine compatible equivalents. QEMU supports user-level apps allowing those compiled for one CPU architecture to run on another.
Kernal-based Virtual Machine (KVM)
KVM allows a physical Linux machine to host multiple virtual machines. Essentially a hypervisor built into the kernel. Unlike LXC, KVM is full virtualization. The abstraction happens at a different place, the Kernel in LXC is shared among all containers, which leads to a smaller footprint. KVM virtualizes the whole stack including hardware (NIC, hard drive, etc.) for the guest OS, on the Linux based host. The guest OS can then be Windows, etc. - this comes with a larger overhead trade-off.
Common Docker Instructions
InstructionSample argsDescription
FROM alpine:3.14Base image
RUN apt updateExec. cmd during build
COPY ./file /appCopies files from host
ADD ./arch.tar /appCopies URLs, extract tar
CMD ["py", "app.py"]Default cmd on start
ENTRYPOINT ["/bin/bash"]Executable on start
EXPOSE 8080Port listened at runtime
ENV APP=/appSets env. variables
WORKDIR /appSets the work dir.
USER nodeSets the runtime user
VOLUME /dataMount and mark ext. store
ARG VAR=valueDef. build-time Docker var