Terminologies

Container

A lightweight, isolated environment that packages an application with all its dependencies, ensuring consistent execution across environments. Containers share the host operating system kernel but run as separate processes, providing efficiency and portability.

Container Image

A read-only, immutable template used to create containers. It contains the application code, runtime, libraries, environment variables, and configuration files.

Built using instructions defined in a Dockerfile (or similar manifest).
Stored in container registries.
Versioned and layered for reusability.

Container Runtime

The software component responsible for running containers on the host operating system. It handles container lifecycle operations like starting, stopping, and resource isolation. Examples:

Docker Engine
containerd
runc
CRI-O
Podman

Container Engine

A higher-level tool that manages containers and interacts with the container runtime. It provides developer-friendly commands and APIs. Example: Docker Engine uses containerd and runc under the hood.

Container Registry

A storage and distribution system for container images. Registries allow developers to push and pull images easily. Examples:

Docker Hub
Amazon Elastic Container Registry (ECR)
Google Container Registry (GCR)
GitHub Container Registry

Dockerfile

A text file that defines the instructions for building a container image. Each instruction (e.g., FROM, RUN, COPY, EXPOSE) adds a new layer to the image.

Container Orchestration

The process of automating deployment, scaling, networking, and management of containers in large-scale environments. Examples:

Kubernetes
Docker Swarm
Apache Mesos

Namespace

A Linux kernel feature that provides isolation for containers. Namespaces ensure each container has its own view of system resources (like processes, networking, and mounts). Common namespaces:

PID (process isolation)
NET (network stack isolation)
IPC (inter-process communication isolation)
MNT (file system mount isolation)
UTS (hostname isolation)

cgroups (Control Groups)

Another Linux kernel feature used by containers to limit and monitor resource usage (CPU, memory, disk I/O, network). Ensures one container cannot consume all system resources.

OverlayFS

A union filesystem used in containers that allows layering of images.

Base layers (read-only) can be reused across images.
The top layer (read-write) stores changes made by the container.

Volume

A mechanism to persist data generated by containers. Since containers are ephemeral, volumes ensure data survives container restarts. Types of volumes:

Named volumes
Host-mounted volumes
tmpfs volumes

Bind Mount

A type of volume that mounts a directory or file from the host machine directly into a container. Useful for development but couples containers tightly to the host.

Container Networking

Defines how containers communicate with each other and with the outside world. Networking modes:

Bridge (default, private network for containers)
Host (shares host’s network stack)
Overlay (multi-host networking for orchestration systems)
Macvlan (assigns MAC addresses to containers)

Container Lifecycle

The stages a container goes through:

Created → Started → Running → Paused → Stopped → Removed

Pod

A concept from Kubernetes. A pod is the smallest deployable unit, containing one or more tightly coupled containers that share networking and storage.

Init Container

A special container in Kubernetes that runs before the main application containers in a pod. Used for setup tasks like initializing databases or loading configuration files.

Sidecar Container

A helper container that runs alongside the main application container in the same pod. Examples:

Logging agent
Monitoring agent
Proxy (e.g., Envoy in service mesh)

Service Mesh

A dedicated infrastructure layer for managing service-to-service communication between containers/microservices. Examples: Istio, Linkerd, Consul.

OCI (Open Container Initiative)

A Linux Foundation project that standardizes container formats and runtimes.

OCI Image Specification → how images should be packaged.
OCI Runtime Specification → how runtimes should execute containers.

Sandbox Container

A container that provides additional isolation, often using lightweight virtual machines for enhanced security. Example: gVisor, Kata Containers.

Ephemeral Containers

Short-lived containers designed to run temporary tasks (like debugging) without affecting the main application.

Container Logs

Output streams (stdout, stderr) from containers. Logs can be captured, persisted, and aggregated using log drivers or monitoring tools like Fluentd, ELK, or Splunk.

Container Security

Key concepts include:

Image scanning (check for vulnerabilities in base images)
Least privilege (run as non-root user)
Signing and verifying images
Runtime security (detect abnormal behavior in running containers)

Container​

Container Image​

Container Runtime​

Container Engine​

Container Registry​

Dockerfile​

Container Orchestration​

Namespace​

cgroups (Control Groups)​

OverlayFS​

Volume​

Bind Mount​

Container Networking​

Container Lifecycle​

Pod​

Init Container​

Sidecar Container​

Service Mesh​

OCI (Open Container Initiative)​

Sandbox Container​

Ephemeral Containers​

Container Logs​

Container Security​