TIL - Underneath the Docker Desktop
This is how I came about learning this.
One of the comments mentioned this What is an Operating System? podcast from JaneStreet. As an impulsive monkey that I am, I proceed to listen to that on a very long bus ride from one end of Singapore to another. (I highly recommend to check it out! Although I barely understood most of stuff, it is great. You trust me on this one.)
One of the projects mentioned in this podcast is called MirageOS. A modular library OS written in OCaml. From there, I learned that MirageOS libraries empower Docker Desktop. Holy Cannoli! How is this not very cool ??
Anyway, the TLDR is that
- Docker Desktop for Windows and Mac OSX uses a Linux VM underneath to manage the containers that you run via the GUI.
- Docker uses LinuxKit to build the VM.
What the heck is LinuxKit ?
It is a toolkit for building secure, portable and lean operating systems for containers.
- LinuxKit Repo
Basically, you can use it to build a custom kernel/OS yourself with minimum dependencies. Then you can boot it up on the cloud VMs or your local VMs. Very flexible and customizable.
For example, this is how an OS with only Redis running inside, plus only the required permissions.
# Minimal YAML to run a redis server (used at DockerCon'17) # connect: nc localhost 6379 kernel: image: linuxkit/kernel:5.10.104 cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0" init: - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7 - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4 - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da onboot: - name: dhcpcd image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: getty image: linuxkit/getty:c9d5afa9a61ac907904090643e946874ff6bf07c env: - INSECURE=true # Currently redis:4.0.6-alpine has trust issue with multi-arch # https://github.com/docker-library/official-images/issues/3794 - name: redis image: redis:4.0.5-alpine capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: host
Found a neat guide at Build custom OS by LinuxKit as well.
Next component is this vpnkit thing.
VPNKit creates a virtual network interface on the host machine and assigns IP addresses to each of the connected virtual machines or containers. This allows the virtual machines and containers to communicate with each other as if they were on the same physical network, even though they may be running on different physical machines or in different locations. Also written in OCaml and you bet it’s built on top of the network protocol libraries of the MirageOS.
A bigger/detail picture.
From How Docker Desktop Networking Works Under the Hood. Also highly recommended to check it out.
Now that I’ve learned a little bit about MirageOS/Docker, I will traverse upward and learn more about OCaml next time!