🐳 5 Linux Kernel Features Behind Docker Containers (Part 2 – Step-by-Step Deep Dive)
In Part 1 of this Docker series, we explored Docker fundamentals: images, containers, and Docker architecture.
In Part 2, we take a deep dive into Docker internals, showing how Linux kernel features make containers lightweight, isolated, and efficient. This guide is step-by-step, with real Docker commands, practical examples, and production insights.
1️⃣ What Happens When a Docker Container Is Created?
When you start a Docker container, several critical things happen under the hood:
✅ Docker creates a network namespace
✅ Assigns an IP address and attaches it to a Docker network
✅ Sets up routing and DNS resolution
✅ Creates a filesystem isolation (mount namespace)
✅ Applies CPU and memory limits using cgroups
✅ Starts the container process (e.g., Java app, Node.js, PostgreSQL)
Result: Each container behaves like an independent mini-system with network, isolation, and process control.
2️⃣ Linux Namespaces – Container Isolation Explained
🔹 What Are Linux Namespaces?
A namespace isolates container resources. It determines what the container can see and interact with.
🔹 Key Namespaces Used by Docker
NamespaceIsolatesPractical ImpactPIDProcessesContainer sees only its own processesNETNetworkOwn IP, routing, portsMNTFilesystem mountsOwn filesystem viewIPCShared memoryIsolated inter-process communicationUTSHostnameContainer gets its own hostnameUSERUser IDsMaps container users to host users safely
Namespace Communication Rules:
Containers in different PID or MNT namespaces cannot see each other’s processes or files.
Containers in different network namespaces cannot talk unless explicitly connected via Docker networks.
Namespaces isolate visibility, not connectivity logic.
3️⃣ Docker Networking – How Containers Communicate
🔹 Default Networking Behavior
Each container gets its own network namespace.
Containers cannot communicate using IP or name unless on the same Docker network.
🔹 Example: Two Containers on One Network
docker network create app-net
docker run -d --name db --network app-net postgres
docker run -d --name java --network app-net my-java-app
Java app can connect to the database using:
db:5432
Best practice: Always use container or service names instead of static IPs.
🔹 How Docker Handles Networking
Docker uses Linux kernel features like:
Virtual Ethernet pairs (veth)
Linux bridges
Docker DNS
These ensure container communication is seamless, scalable, and isolated.
4️⃣ Control Groups (cgroups) – Resource Management
🔹 What Are cgroups?
cgroups control CPU, memory, disk I/O, and network usage per container, preventing one container from starving others.
🔹 Real-Life Examples
Limit memory:
docker run --memory=256m my-app
Limit CPU:
docker run --cpus="1.0" my-app
Monitor usage:
docker stats
🔹 What Happens When Limits Are Exceeded?
Memory: container is OOM-killed
CPU: container is throttled, slowing down execution
5️⃣ Container Crash & Restart Behavior
🔹 Case A: No Restart Policy ❌
Container stops permanently
IP is lost
Application downtime occurs
🔹 Case B: Restart Policy Enabled ✅
restart: always
Docker automatically restarts the container
Assigns a new IP
Updates Docker DNS
Application reconnects using service names
Important: Applications must implement retry/backoff logic for database or service connections.
Example – Database Crash Sequence:
DB container stops
Java app receives connection errors
DB restarts (with restart policy)
DB gets a new IP
Docker DNS updates automatically
Java reconnects if retry logic exists
⚠️ Without retry logic → application fails.
6️⃣ Docker Union File Systems – Image Layers
Docker images are made of read-only layers.
Containers get a writable top layer.
Deleting a container removes its writable layer, but base image layers remain.
Impact: Explains container ephemerality and fast image builds.
7️⃣ Linux Capabilities & Container Security
Containers share the host kernel, so privileges must be minimized.
Docker drops unnecessary capabilities by default.
Run containers as non-root:
FROM nginx
USER nginx
Security is further enhanced via seccomp, AppArmor, SELinux.
8️⃣ Docker Data Persistence
🔹 Without Volumes ❌
Container crash = data lost
🔹 With Volumes ✅
volumes:
- db_data:/var/lib/postgresql/data
Container restarts safely
Data persists across container lifecycles
9️⃣ Container Lifecycle Summary
EventWhat HappensContainer createdNetwork, isolation, process startedTwo containersCan communicate using names if on same networkContainer crashesStops process; restart depends on policyRestarted containerGets new IP, Docker DNS updatedApplication connectionMust re-establish using retry logicDataSafe only with volumes
🔑 Senior DevOps Takeaways
Containers are ephemeral – IPs change, processes die
Service and container names are stable
Always use service names for communication
Implement restart and reconnection logic in apps
Linux kernel features (namespaces, cgroups, OverlayFS, capabilities) make Docker lightweight, isolated, and secure
Pro Interview Answer: Containers are disposable, network IPs are temporary, and applications must be designed for resilience and reconnection.
📌 Next in the Series (Part 3): Dockerfile internals, image caching, CMD vs ENTRYPOINT
🚀 Tip: Share this post if you found it helpful and follow the series for a complete DevOps Docker deep dive.
