Docker Containers - Mind Palace

**Docker containers** are lightweight, portable units of software that package an application together with its dependencies, libraries, and configuration — isolated from the host operating system and other containers. Unlike [[VMs|virtual machines]], containers share the host OS kernel, making them faster to start, smaller in footprint, and more efficient in resource usage. --- ### First Principle: Isolate the application, not the entire operating system. VMs virtualise hardware and run a full guest OS per instance. Containers virtualise only the application layer — sharing the host kernel while maintaining process, filesystem, and network isolation. This trades some security boundary strength for dramatic gains in density and speed. --- ### Key Considerations - **Image-Based Deployment**: A Docker image is a read-only template that defines the container's filesystem and startup command. Images are versioned, shareable, and reproducible — eliminating "works on my machine" problems. - **Orchestration**: At scale, containers are managed by orchestrators like **Kubernetes**, which handles scheduling, scaling, health checks, and networking across clusters. This is the dominant deployment model in modern cloud and [[Clustering|clustered]] environments. - **Resource Efficiency**: A single server can run dozens to hundreds of containers versus a handful of VMs. This directly improves [[multi-tenancy|multi-tenant]] utilisation in data centers. - **Networking**: Containers use virtual networks (overlay or bridge) and can be connected across hosts. Service mesh architectures (Istio, Linkerd) add observability and security at the container networking layer. - **Limitations**: Containers share the host kernel, so they cannot run a different OS than the host. For GPU workloads, NVIDIA's container runtime provides GPU passthrough to containers. --- ### Actionable Insights For [[Modular Data Center Design Principles|modular data centers]] serving AI and HPC workloads, containers are the standard deployment unit for inference services. When designing the compute layer, ensure the [[Bare Metal|bare metal]] hosts support container runtimes with GPU passthrough (NVIDIA Container Toolkit). The [[Scheduling|scheduling]] system (typically Kubernetes) then allocates GPU resources — potentially down to [[MIGs|MIG partitions]] — to individual containers, maximising hardware utilisation. --- ### Where Containers Sit in the Abstraction Stack ``` [[VLSI]] (transistors) → [[Bare Metal]] (physical server) → [[VMs]] (hardware virtualisation) → Docker Containers (OS-level virtualisation) ← you are here → [[MIGs]] (GPU partitioning) ``` Each layer up trades raw performance for flexibility and [[multi-tenancy|multi-tenant]] isolation. [[VMs]] | [[Bare Metal]] | [[MIGs]] | [[Clustering]] | [[Scheduling]] | [[Kubernetes]]