2023-02-13 learn docker basics

[jerryschen31]

Docker compose

[jerryschen31]

docker compose https://docs.docker.com/compose/ NOTE: June 2023 - big update to docker compose (v2)

The first release of Compose, written in Python, happened at the end of 2014

In mid-2020 Compose V2 was released. It merged Compose file format V2 and V3 and was written in Go. The file format is defined by the Compose specification. Compose V2 is the latest and recommended version of Compose. It provides improved integration with other Docker command-line features, and simplified installation on macOS, Windows, and Linux.

Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration

With docker compose you can: Start, stop, and rebuild services View the status of running services Stream the log output of running services Run a one-off command on a service

[jerryschen31]

An important part of any Continuous Deployment or Continuous Integration process is the automated test suite. Automated end-to-end testing requires an environment in which to run tests. Compose provides a convenient way to create and destroy isolated testing environments for your test suite. By defining the full environment in a Compose file, you can create and destroy these environments in just a few commands:

docker compose up -d ./run_tests docker compose down

[jerryschen31]

Compose v2 https://docs.docker.com/compose/compose-file/

The Compose specification allows one to define a platform-agnostic container based application. Such an application is designed as a set of containers which have to both run together with adequate shared resources and communication channels.

Computing components of an application are defined as Services. A Service is an abstract concept implemented on platforms by running the same container image (and configuration) one or more times.

Services communicate with each other through Networks. In this specification, a Network is a platform capability abstraction to establish an IP route between containers within services connected together. Low-level, platform-specific networking options are grouped into the Network definition and MAY be partially implemented on some platforms.

Services store and share persistent data into Volumes. The specification describes such a persistent data as a high-level filesystem mount with global options. Actual platform-specific implementation details are grouped into the Volumes definition and MAY be partially implemented on some platforms.

Some services require configuration data that is dependent on the runtime or platform. For this, the specification defines a dedicated concept: Configs. From a Service container point of view, Configs are comparable to Volumes, in that they are files mounted into the container. But the actual definition involves distinct platform resources and services, which are abstracted by this type.

A Secret is a specific flavor of configuration data for sensitive data that SHOULD NOT be exposed without security considerations. Secrets are made available to services as files mounted into their containers, but the platform-specific resources to provide sensitive data are specific enough to deserve a distinct concept and definition within the Compose specification.

Distinction within Volumes, Configs and Secret allows implementations to offer a comparable abstraction at service level, but cover the specific configuration of adequate platform resources for well identified data usages.

A Project is an individual deployment of an application specification on a platform. A project’s name is used to group resources together and isolate them from other applications or other installation of the same Compose specified application with distinct parameters. A Compose implementation creating resources on a platform MUST prefix resource names by project and set the label com.docker.compose.project.

[jerryschen31]

Docker intro - Docker Engine https://docs.docker.com/engine/#:~:text=Docker%20Engine%20is%20an%20open,and%20instruct%20the%20Docker%20daemon.

[jerryschen31]

Docker Architecture https://docs.docker.com/get-started/overview/#docker-architecture

Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate using a REST API, over UNIX sockets or a network interface. Another Docker client is Docker Compose, that lets you work with applications consisting of a set of containers.

[jerryschen31]

Docker provides the ability to package and run an application in a loosely isolated environment called a container.

The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate using a REST API, over UNIX sockets or a network interface. Another Docker client is Docker Compose, that lets you work with applications consisting of a set of containers

[TODO] daemon - understand better [TODO] UNIX sockets - understand better (communicate through sockets)

[jerryschen31]

You might create your own images or you might only use those created by others and published in a registry. To build your own image, you create a Dockerfile with a simple syntax for defining the steps needed to create the image and run it. Each instruction in a Dockerfile creates a layer in the image. When you change the Dockerfile and rebuild the image, only those layers which have changed are rebuilt. This is part of what makes images so lightweight, small, and fast, when compared to other virtualization technologies.

[NOTE] when you change something in the middle of a Dockerfile, all the subsequent layers also get re-built.

[jerryschen31]

Containers

A container is a runnable instance of an image. You can create, start, stop, move, or delete a container using the Docker API or CLI. You can connect a container to one or more networks, attach storage to it, or even create a new image based on its current state.

By default, a container is relatively well isolated from other containers and its host machine. You can control how isolated a container’s network, storage, or other underlying subsystems are from other containers or from the host machine.

A container is defined by its image as well as any configuration options you provide to it when you create or start it. When a container is removed, any changes to its state that are not stored in persistent storage disappear.

[jerryschen31]

Example docker run command

The following command runs an ubuntu container, attaches interactively to your local command-line session, and runs /bin/bash.

$ docker run -i -t ubuntu /bin/bash When you run this command, the following happens (assuming you are using the default registry configuration):

If you do not have the ubuntu image locally, Docker pulls it from your configured registry, as though you had run docker pull ubuntu manually.

Docker creates a new container, as though you had run a docker container create command manually.

Docker allocates a read-write filesystem to the container, as its final layer. This allows a running container to create or modify files and directories in its local filesystem.

Docker creates a network interface to connect the container to the default network, since you did not specify any networking options. This includes assigning an IP address to the container. By default, containers can connect to external networks using the host machine’s network connection.

Docker starts the container and executes /bin/bash. Because the container is running interactively and attached to your terminal (due to the -i and -t flags), you can provide input using your keyboard while the output is logged to your terminal.

When you type exit to terminate the /bin/bash command, the container stops but is not removed. You can start it again or remove it.

[jerryschen31]

Docker is written in the Go programming language and takes advantage of several features of the Linux kernel to deliver its functionality. Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.

These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.

[jerryschen31]

This is a great starting point https://docs.docker.com/get-started/overview/#docker-architecture

Some topics to learn further: Container isolation - container creation - what does it mean to “create” a container? Image layers, read/write filesystem (top layer) - what’s a filesystem Container network interface - connecting to local host network interface - assigning IP address… is there a container MAC address? /etc/hosts in container What is a daemon / process What are UNIX sockets

[jerryschen31]

In multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user

A process in Linux is nothing but a program in execution. It's a running instance of a program. Any command that you execute starts a process.

A Unix domain socket aka UDS or IPC socket is a data communications endpoint for exchanging data between processes executing on the same host operating system. It is also referred to by its address family AF_UNIX. Wikipedia

[jerryschen31]

https://www.google.com/search?q=unix+sockets&rlz=1C9BKJA_enUS963US963&hl=en-US&ei=CrRGZPbFBfzDkPIPyp298A8&oq=unix+sockets&gs_lcp=ChNtb2JpbGUtZ3dzLXdpei1zZXJwEAMyCwgAEIoFEJECEIsDMgUIABCABDIFCC4QgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDoICAAQjwEQ6gI6CAguEI8BEOoCOggIABCKBRCRAjoICAAQgAQQsQM6DgguEIAEELEDEMcBENEDOgcIABCKBRBDOgoIABCKBRBDEIsDOgsIABCKBRCxAxCRAjoOCAAQigUQsQMQkQIQiwM6CggAEIoFELEDEENKBAhBGABQugVY2xFgxhJoA3AAeACAAaYBiAG3C5IBBDEuMTCYAQCgAQGwAQ-4AQPAAQE&sclient=mobile-gws-wiz-serp#imgrc=0kYlClCHH3u5sM&lnspr=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGxd

[jerryschen31]

https://www.google.com/search?q=unix+sockets&rlz=1C9BKJA_enUS963US963&hl=en-US&ei=CrRGZPbFBfzDkPIPyp298A8&oq=unix+sockets&gs_lcp=ChNtb2JpbGUtZ3dzLXdpei1zZXJwEAMyCwgAEIoFEJECEIsDMgUIABCABDIFCC4QgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDoICAAQjwEQ6gI6CAguEI8BEOoCOggIABCKBRCRAjoICAAQgAQQsQM6DgguEIAEELEDEMcBENEDOgcIABCKBRBDOgoIABCKBRBDEIsDOgsIABCKBRCxAxCRAjoOCAAQigUQsQMQkQIQiwM6CggAEIoFELEDEENKBAhBGABQugVY2xFgxhJoA3AAeACAAaYBiAG3C5IBBDEuMTCYAQCgAQGwAQ-4AQPAAQE&sclient=mobile-gws-wiz-serp#imgrc=l-0KawnUDNOZgM&lnspr=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGxd

[jerryschen31]

https://www.google.com/search?q=unix+sockets&rlz=1C9BKJA_enUS963US963&hl=en-US&ei=CrRGZPbFBfzDkPIPyp298A8&oq=unix+sockets&gs_lcp=ChNtb2JpbGUtZ3dzLXdpei1zZXJwEAMyCwgAEIoFEJECEIsDMgUIABCABDIFCC4QgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDoICAAQjwEQ6gI6CAguEI8BEOoCOggIABCKBRCRAjoICAAQgAQQsQM6DgguEIAEELEDEMcBENEDOgcIABCKBRBDOgoIABCKBRBDEIsDOgsIABCKBRCxAxCRAjoOCAAQigUQsQMQkQIQiwM6CggAEIoFELEDEENKBAhBGABQugVY2xFgxhJoA3AAeACAAaYBiAG3C5IBBDEuMTCYAQCgAQGwAQ-4AQPAAQE&sclient=mobile-gws-wiz-serp#imgrc=l-0KawnUDNOZgM&lnspr=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGxd

[jerryschen31]

https://www.tutorialspoint.com/unix_sockets/index.htm

Sockets allow communication between two different processes on the same or different machines. To be more precise, it's a way to talk to other computers using standard Unix file descriptors. In Unix, every I/O action is done by writing or reading a file descriptor. A file descriptor is just an integer associated with an open file and it can be a network connection, a text file, a terminal, or something else.

To a programmer, a socket looks and behaves much like a low-level file descriptor. This is because commands such as read() and write() work with sockets in the same way they do with files and pipes.

Stream Sockets − Delivery in a networked environment is guaranteed. If you send through the stream socket three items "A, B, C", they will arrive in the same order − "A, B, C". These sockets use TCP (Transmission Control Protocol) for data transmission. If delivery is impossible, the sender receives an error indicator. Data records do not have any boundaries. Datagram Sockets − Delivery in a networked environment is not guaranteed. They're connectionless because you don't need to have an open connection as in Stream Sockets − you build a packet with the destination information and send it out. They use UDP (User Datagram Protocol).

[jerryschen31]

Before we proceed with the actual stuff, let us discuss a bit about the Network Addresses − the IP Address.

The IP host address, or more commonly just IP address, is used to identify hosts connected to the Internet. IP stands for Internet Protocol and refers to the Internet Layer of the overall network architecture of the Internet.

An IP address is a 32-bit quantity interpreted as four 8-bit numbers or octets. Each IP address uniquely identifies the participating user network, the host on the network, and the class of the user network.

[note] think of IP address as just a network ID - ID of any resource on a network

[jerryschen31]

Host names in terms of numbers are difficult to remember and hence they are termed by ordinary names such as Takshila or Nalanda. We write software applications to find out the dotted IP address corresponding to a given name.

The process of finding out dotted IP address based on the given alphanumeric host name is known as hostname resolution.

A hostname resolution is done by special software residing on high-capacity systems. These systems are called Domain Name Systems (DNS), which keep the mapping of IP addresses and the corresponding ordinary names.

The /etc/hosts File The correspondence between host names and IP addresses is maintained in a file called hosts. On most of the systems, this file is found in /etc directory.

Entries in this file look like the following −

This represents a comments in /etc/hosts file.

127.0.0.1 localhost 192.217.44.207 nalanda metro 153.110.31.18 netserve 153.110.31.19 mainserver centeral 153.110.31.20 samsonite 64.202.167.10 ns3.secureserver.net 64.202.167.97 ns4.secureserver.net 66.249.89.104 www.google.com 68.178.157.132 services.amrood.com

[jerryschen31]

Server 3-tier architectures − In this architecture, one more software sits in between the client and the server. This middle software is called ‘middleware’. Middleware are used to perform all the security checks and load balancing in case of heavy load. A middleware takes all requests from the client and after performing the required authentication, it passes that request to the server. Then the server does the required processing and sends the response back to the middleware and finally the middleware passes this response back to the client.

[jerryschen31]

How to Make Client The system calls for establishing a connection are somewhat different for the client and the server, but both involve the basic construct of a socket. Both the processes establish their own sockets.

The steps involved in establishing a socket on the client side are as follows −

Create a socket with the socket() system call. Connect the socket to the address of the server using the connect() system call. Send and receive data. There are a number of ways to do this, but the simplest way is to use the read() and write() system calls. How to make a Server The steps involved in establishing a socket on the server side are as follows −

Create a socket with the socket() system call. Bind the socket to an address using the bind() system call. For a server socket on the Internet, an address consists of a port number on the host machine. Listen for connections with the listen() system call. Accept a connection with the accept() system call. This call typically blocks the connection until a client connects with the server. Send and receive data using the read() and write() system calls.

[jerryschen31]

Client and Server Interaction Following is the diagram showing the complete Client and Server interaction −

Socket Client Server

[jerryschen31]

When a client process wants to a connect a server, the client must have a way of identifying the server that it wants to connect. If the client knows the 32-bit Internet address of the host on which the server resides, it can contact that host. But how does the client identify the particular server process running on that host?

To resolve the problem of identifying a particular server process running on a host, both TCP and UDP have defined a group of well-known ports

The port assignments to network services can be found in the file /etc/services

[jerryschen31]

Maybe this tutorial is easier https://www.digitalocean.com/community/tutorials/understanding-sockets

Need to find an interactive tutorial of some sort (using Ubuntu)

[jerryschen31]

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04

[jerryschen31]

To learn UNIX sockets: $ sudo apt update $ sudo apt install iproute2 netcat-openbsd socat

Install latest version of docker (NOT the one in the ubuntu repository) https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04

ubuntu@ip-10-88-0-92:~$ sudo systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-04-25 05:33:30 UTC; 5min ago TriggeredBy: ● docker.socket Docs: https://docs.docker.com Main PID: 3200 (dockerd) Tasks: 7 Memory: 33.1M CGroup: /system.slice/docker.service └─3200 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Apr 25 05:33:29 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:29.806761255Z" level=info msg="[core] [Channel #4] Channel Connectivity change to CONNECTING" module=grpc Apr 25 05:33:29 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:29.807061969Z" level=info msg="[core] [Channel #4 SubChannel #5] Subchannel Connectivity change to READY" module=grpc Apr 25 05:33:29 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:29.807226153Z" level=info msg="[core] [Channel #4] Channel Connectivity change to READY" module=grpc Apr 25 05:33:29 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:29.948040853Z" level=info msg="Loading containers: start." Apr 25 05:33:30 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:30.555548482Z" level=info msg="Loading containers: done." Apr 25 05:33:30 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:30.632182156Z" level=info msg="Docker daemon" commit=cbce331 graphdriver=overlay2 version=23.0.4 Apr 25 05:33:30 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:30.632518365Z" level=info msg="Daemon has completed initialization" Apr 25 05:33:30 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:30.685301550Z" level=info msg="[core] [Server #7] Server created" module=grpc Apr 25 05:33:30 ip-10-88-0-92 systemd[1]: Started Docker Application Container Engine. Apr 25 05:33:30 ip-10-88-0-92 dockerd[3200]: time="2023-04-25T05:33:30.695652137Z" level=info msg="API listen on /run/docker.sock"

[jerryschen31]

https://www.digitalocean.com/community/tutorials/the-docker-ecosystem-an-introduction-to-common-components

[jerryschen31]

Docker.service file https://docs.docker.com/config/daemon/systemd/ Configure the docker daemon with systemd

Most configuration options for the Docker daemon are set using the daemon.json configuration file. See Docker daemon configuration overview for more information.

Doc also shows how to configure docker in “rootless” mode (as a user)

WHAT IS DAEMON VS SERVICE VS PROCESS https://askubuntu.com/questions/192058/what-is-technical-difference-between-daemon-service-and-process The word daemon for denoting a background program is from the Unix culture; it is not universal. A service is a program which responds to requests from other programs over some inter-process communication mechanism (usually over a network). A service is what a server provides

A service doesn't have to be a daemon, but usually is

In Unix/Linux, the names of daemons end in “d”

Daemons - Daemon does not stand for Disk and Execution Monitor (http://www.takeourword.com/TOW146/page4.html). They are the processes which run in the background and are not interactive. They have no controlling terminal.

They perform certain actions at predefined times or in response to certain events. In *NIX, the names of daemons end in d.

Services - In Windows, daemons are called services.

If you're wondering why *NIX has a command named service, it is just used to run init scripts (shorthand for initialization scriptrunlevel).

Process - Process is a running program. At a particular instant of time, it can be either running, sleeping, or zombie (completed process, but waiting for it's parent process to pick up the return value

https://help.ubuntu.com/community/UbuntuBootupHowto

[jerryschen31]

systemd is the main system daemon that manages other daemons (including systemd itself)

https://en.m.wikipedia.org/wiki/Systemd#:~:text=systemd%20is%20a%20software%20suite,space%20and%20manage%20user%20processes.

Namespaces and cgroups are part of systemd core

[TODO] look in docker.service directory

[jerryschen31]

Like the init daemon, systemd is a daemon that manages other daemons, which, including systemd itself, are background processes. systemd is the first daemon to start during booting and the last daemon to terminate during shutdown. The systemd daemon serves as the root of the user space's process tree; the first process (PID 1) has a special role on Unix systems, as it replaces the parent of a process when the original parent terminates. Therefore, the first process is particularly well suited for the purpose of monitoring daemons.

[TODO] setup Rasberry Pi. In book, show examples using ubuntu, Rasbperry Pi (raspberry OS), Mac OS X.

systemd is a system and service manager for Linux operating systems. systemctl is a command to introspect and control the state of the systemd system and service manager. Not to be confused with sysctl. systemd-analyze may be used to determine system boot-up performance statistics and retrieve other state and tracing information from the system and service manager.

systemd tracks processes using the Linux kernel's cgroups subsystem instead of using process identifiers (PIDs); thus, daemons cannot "escape" systemd, not even by double-forking. systemd not only uses cgroups, but also augments them with systemd-nspawn and machinectl, two utility programs that facilitate the creation and management of Linux containers

[jerryschen31]

networkd networkd is a daemon to handle the configuration of the network interfaces; in version 209, when it was first integrated, support was limited to statically assigned addresses and basic support for bridging configuration.[51][52][53][54][55] In July 2014, systemd version 215 was released, adding new features such as a DHCP server for IPv4 hosts, and VXLAN support.[56][57] networkctl may be used to review the state of the network links as seen by systemd-networkd.[58] Configuration of new interfaces has to be added under the /lib/systemd/network/ as a new file ending with .network extension

Journald systemd-journald is a daemon responsible for event logging, with append-only binary files serving as its logfiles. The system administrator may choose whether to log system events with systemd-journald, syslog-ng or rsyslog

resolved provides network name resolution to local applications

udevd udev is a device manager for the Linux kernel, which handles the /dev directory and all user space actions when adding/removing devices

[jerryschen31]

Edit

systemd-manager, a tool to configure systemd systemd is configured exclusively via plain-text files.

systemd records initialization instructions for each daemon in a configuration file (referred to as a "unit file") that uses a declarative language, replacing the traditionally used per-daemon startup shell scripts. The syntax of the language is inspired by .ini files.[64]

Unit-file types[65] include:

.service .socket .device (automatically initiated by systemd[66]) .mount .automount .swap .target .path .timer (which can be used as a cron-like job scheduler[67]) .snapshot .slice (used to group and manage processes and resources[68]) .scope (used to group worker processes, not intended to be configured via unit files[69])

[jerryschen31]

So .service .socket .mount files are plain-text config files that configure services (daemons) including the docker daemon (dockerd)

[jerryschen31]

Busybox https://en.m.wikipedia.org/wiki/BusyBox

[jerryschen31]

Configuring the docker daemon and more info on docker daemon https://docs.docker.com/config/daemon/

There is a JSON for configuring the docker daemon [TODO] look at the default docker daemon JSON

The state of docker daemon and other files are located in /var/lib/docker/ Note if you have more than one docker daemon running on your system, you need a separate directory for each daemon (I think you can specify this In the docker daemon JSON)

[jerryschen31]

remote access to docker (pretty cool): https://docs.docker.com/engine/security/protect-access/

[jerryschen31]

Dockerd is a container runtime

https://www.aquasec.com/cloud-native-academy/container-security/container-runtime/#:~:text=What%20Is%20a%20Container%20Runtime,on%20a%20host%20operating%20system What Is a Container Runtime? A container runtime, also known as container engine, is a software component that can run containers on a host operating system.

In a containerized architecture, container runtimes are responsible for loading container images from a repository, monitoring local system resources, isolating system resources for use of a container, and managing container lifecycle.

Common container runtimes commonly work together with container orchestrators. The orchestrator is responsible for managing clusters of containers, taking care of concerns like container scalability, networking, and security. The container engine takes responsibility for managing the individual containers running on every compute node in the cluster.

Common examples of container runtimes are runC, containerd, Docker, and Windows Containers. There are three main types of container runtimes—low-level runtimes, high-level runtimes, and sandboxed or virtualized runtimes

[jerryschen31]

Q: is a docker CLI command (e.g., docker container run…) TRANSLATED into a docker API call (GET HTTP/X/… ?) before communicating with /var/run/docker.sock ?

[jerryschen31]

https://stackoverflow.com/questions/46649592/dockerd-vs-docker-containerd-vs-docker-runc-vs-docker-containerd-ctr-vs-docker-c

Also https://kodekloud.com/blog/docker-vs-containerd/

[jerryschen31]

Containerd docs and GitHub https://github.com/containerd/containerd has link to Runc docs

[jerryschen31]

More resources https://www.tutorialworks.com/difference-docker-containerd-runc-crio-oci/ https://www.tutorialworks.com/devops-tools/ https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc https://github.com/opencontainers/runc https://github.com/opencontainers/runtime-spec https://github.com/crosbymichael/dockercon-2016/blob/master/Creating%20Containerd.pdf

https://www.tutorialworks.com/container-guide/ https://alenkacz.medium.com/whats-the-difference-between-runc-containerd-docker-3fc8f79d4d6e https://iximiuz.com/en/posts/oci-containers/ https://www.tutorialworks.com/container-networking/

[jerryschen31]

https://github.com/opencontainers/runtime-spec/blob/main/principles.md Official Open Container Initiative definition of a container: The goal of a Standard Container is to encapsulate a software component and all its dependencies in a format that is self-describing and portable, so that any compliant runtime can run it without extra dependencies, regardless of the underlying machine and the contents of the container

[jerryschen31]

https://github.com/opencontainers/runtime-spec/blob/main/runtime.md Need to understand (1) the word “runtime” a lot better - runtime of OS, runtime of container… (2) where the config.json for a container lives, and see an example

[jerryschen31]

https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md Official documentation for namespaces and control groups in containers

[jerryschen31]

Runc https://github.com/opencontainers/runc