# Linux Container Primitives > Containers are an abstraction over several different Linux technologies ## Linux Kernel ### Namespaces * "What you can see" * isolation mechanism for processes * changes to resources within namespace can be invisible outside the namespace * examples of available namespaces * network * filesystem (mount) * processes * namespaces can be shared with process * OR process can have its own namespaces, like a container * commonly used namespaces in containers * network * `veth` devices (or pairs) can connect different namespaces * Docker uses separate network namespace per container * by default Docker connects container network with `veth` pair to Linux bridge to allow outbound connectivity * in Kubernetes, containers in a pod share the same network namespace * mount * used to give containers their own filesystem * `procfs` virtual filesystem * introspection of Linux kernel data * Linux syscalls are used working with namespaces * clone * unshare * namespace can not be empty * tools to enter namespaces * nsenter * ip-netns * Leveraging namespaces with containers * `nsenter` or `ip netns` to troubleshoot container networking * monitor containers by entering the `pid` namespace * access binaries in your containers with the mount namespace * Further reading: `man 7 {namespaces, pid_namespaces, user_namespaces}` ### Control groups * "What you can use" * Cgroups * Organizes all processes in the system, whether they are in container or not * Account for resource usage and gather utilization data * Limit or prioritize resource utilization * Cgroup system is an abstract framework * subsystem are concrete implementations * memory * cpu time * block I/O * number of discrete processes (pids) * devices * etc * subsystems are independent * cgroups can be interacted with throught virtual filesystem * typically in `ace}/sys/fs/cgroup` * `tasks` file holds all pids in cgroup * get cgroups for pid: `cat /proc/$PID/cgroups` ### Filesystems * images are representation of a filesystem * Docker uses image layers * Layers are typically implemented with union filesystems * efficient use of storage when there are only minor modifications to image * Overlay filesystem is built in to Linux * Docker's default layer storage uses the overlay filesystem * Leveraging with Docker * locate files in your layers * examine which layers files contribute to disk usage * understand the impact of writable files in your containers ## Container runtimes * software tool that configures Linux primitives to create and run containers on a host * Examples include * Docker * containerd * runc * CRI-O * systemd-nspawn * `runc` is OCI (Open Containers Initiative) reference implementation which powers Docker, containerd and CRI-O * OCI runtime spec * containers are "bundles" * Filesystem * JSON document * describes underlying technologies which "make the container" like cgroups, namespaces, Linux capabilities, and more ## Resources * Linux Container Primitives: cgroups, namespaces, and more! - * CGroups documentation - * Overlay filesystem documentation - * Golang UK Conf. 2016 - Liz Rice - What is a container, really? Let's write one in Go from scratch - --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.tatusl.dev/containers/linux-container-primitives.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.