Here's a preview from my zine, How Containers Work! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
get the zine!
read the transcript!
### a container is a group of Linux processes
Illustration of a smiling stick figure with curly hair.
person: on a Mac, all your containers are actually running in a Linux virtual machine
panel 2
person: I started ’top’ in a container. Here’s what that looks like in ps:
- outside the container
$ ps aux grep top
USER PID START COMMAND
root 23540 20:55 top
bork 23546 20:57 top
- inside the container
$ ps aux | grep top
USER PID START COMMAND
root 25 20:55 top
(root 23540 20:55 top and root 25 20:55 top are the same process!)
container processes can do anything a normal process can…
Illustration of a smiling stick figure with curly hair, and Linux, represented by its penguin mascot
person: I want my container to do X Y Z W! Linux: sure! your computer, your rules!
but usually they have restrictions
(there are drawings of locks on either side of the word “restrictions”)
Illustration of a container, represented by a box with a smiley face. Around it are arrows with the following labels:
- different PID namespace
- different root directory
- cgroup memory limit
- limited capabilities
- not allowed to run some system calls
the restrictions are enforced by the Linux kernel
Linux: NO, you can’t have more memory!
person: on the next page we’ll list all the kernel features that make this work!