Part 2 Conceptual Complete

Part 2: "Containers 101" — Docker Fundamentals You Actually Need for K8s

"Containers 101" — Docker Fundamentals You Actually Need for K8s

June 28, 2025 12 min read

Alex, a seasoned backend engineer with a decade of experience building and scaling monolithic applications on virtual machines, felt a familiar thrill mixed with a healthy dose of anxiety. NovaCraft, the fast-growing startup Alex had just joined, was a whirlwind of activity. The energy was palpable, a stark contrast to the more measured pace of Alex’s previous roles. Here, everything was about moving fast, shipping code, and scaling on demand. And at the heart of it all was a technology Alex had only read about in blog posts and conference talks: Kubernetes.

During the first week, Alex was tasked with a seemingly simple goal: get the local development environment for the company’s flagship product, a real-time analytics engine, up and running. The project’s README was deceptively short. It didn’t have the usual long list of dependencies to install or complex setup scripts to run. Instead, it had a single command: docker-compose up.

Alex had, of course, heard of Docker. It was the container thing. But in a world of virtual machines, it had always seemed like a solution to a problem Alex didn’t have. Now, it was the gatekeeper to productivity. After installing Docker Desktop on a new MacBook, Alex ran the command. A flurry of text scrolled by, layers were pulled, and services started. It was magical, almost too easy. But when Alex tried to make a simple code change to a Python service, the change wasn’t reflected. Alex rebuilt the container, but the old code was still running. Frustration began to set in. It was clear that just running commands wasn’t enough. To truly be effective at NovaCraft, and to even begin to understand the Kubernetes ecosystem that the company relied on, Alex needed to go deeper. It was time to understand what a container really was.

The Rabbit Hole: What is a Container, Really?

Alex decided to take a step back. The immediate problem of the un-reflected code change was a symptom of a larger knowledge gap. To solve it, and to avoid similar issues in the future, Alex needed to understand the fundamentals. What was happening when docker-compose up was executed? What was this “container” that was supposedly running the code?

At first glance, a container looks a lot like a lightweight virtual machine. It has its own filesystem, its own network interface, and its own set of processes. But the analogy, as Alex was quickly learning, was a leaky one. A virtual machine emulates an entire operating system, complete with its own kernel. A container, on the other hand, is a process—or a group of processes—running on the host operating system’s kernel. It’s a clever illusion of isolation, created by a few powerful features of the Linux kernel.

The Pillars of Containerization: Namespaces, Cgroups, and Union Filesystems

Alex’s research led to three core concepts that, when combined, form the foundation of modern containerization:

Namespaces: Imagine you’re at a large, open-plan office. It’s noisy, and it’s hard to focus. Now, imagine you’re given a set of noise-canceling headphones and a private cubicle. Suddenly, your world shrinks. You can only see what’s in front of you, and you can only hear your own thoughts. This is what namespaces do for a process. They create a “cubicle” for a process, limiting what it can see and interact with. There are different types of namespaces, each responsible for isolating a specific resource:
- PID (Process ID): Inside a container, your application thinks it’s the only process running (or at least, it has its own process tree, starting with PID 1). It can’t see or signal other processes on the host.
- NET (Network): The container gets its own network stack, with its own IP address, routing tables, and firewall rules. This is why you can run multiple containers on the same host, all listening on the same port, without conflicts.
- MNT (Mount): The container has its own filesystem, separate from the host’s filesystem. This is why the application inside the container sees a different file structure than what’s on the host machine.
- UTS (UNIX Timesharing System): This allows the container to have its own hostname and domain name.
- IPC (Inter-Process Communication): This isolates communication between processes within the container from processes on the host.
- USER (User ID): This allows a process to have a different user and group ID inside and outside a namespace.
Cgroups (Control Groups): If namespaces are about what a process can see, cgroups are about what a process can use. They are the resource-limiting mechanism for containers. Think of them as the office manager who controls the thermostat and the electricity supply to your cubicle. Cgroups allow you to set limits on the amount of CPU, memory, and I/O that a container can consume. This is crucial for preventing a single, misbehaving container from bringing down the entire host.
Union Filesystems: This is the magic that makes container images so efficient. A container image is a layered, read-only template. When you start a container, a new, writable layer is added on top of the read-only image layers. This is called a union filesystem. When you make a change to a file in a running container, you’re not changing the image. You’re creating a copy of the file in the writable layer and modifying it there. This has two key benefits:
- Efficiency: Multiple containers can share the same base image layers, saving disk space.
- Immutability: The image itself is never changed. This makes it easy to roll back to a previous version of the image or to spin up new, identical containers.

Alex now understood why the code change wasn’t being reflected. The code was part of the image, which was read-only. To see the change, Alex would need to rebuild the image. But that seemed inefficient for development. There had to be a better way. This led Alex to the next topic: the Dockerfile.

The Blueprint: Writing Your First Dockerfile

A Dockerfile is a text file that contains the instructions for building a Docker image. It’s the blueprint for your container. Each instruction in a Dockerfile creates a new layer in the image. This is why the order of instructions matters. You want to put the instructions that change most frequently (like copying your application code) as late in the file as possible, to take advantage of Docker’s layer caching.

Let’s break down a simple Dockerfile for a Python application:

# Use an official Python runtime as a parent image
FROM python:3.9-slim

# Set the working directory in the container
WORKDIR /app

# Copy the current directory contents into the container at /app
COPY . /app

# Install any needed packages specified in requirements.txt
RUN pip install --no-cache-dir -r requirements.txt

# Make port 80 available to the world outside this container
EXPOSE 80

# Define environment variable
ENV NAME World

# Run app.py when the container launches
CMD ["python", "app.py"]

Here’s what each of these instructions does:

FROM: This is the most important instruction. It specifies the base image for your new image. In this case, we’re using the official Python 3.9 slim image from Docker Hub. This image contains the Python runtime and a minimal set of packages.
WORKDIR: This sets the working directory for any subsequent RUN, CMD, ENTRYPOINT, COPY, and ADD instructions. If the directory doesn’t exist, it will be created.
COPY: This copies files or directories from your local filesystem to the container’s filesystem.
RUN: This executes a command in a new layer on top of the current image. This is typically used to install packages or to run build scripts.
EXPOSE: This informs Docker that the container listens on the specified network ports at runtime. It doesn’t actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container, about which ports are intended to be published.
ENV: This sets an environment variable.
CMD: This provides the default command to execute when the container starts. There can only be one CMD instruction in a Dockerfile. If you specify a command when you run the container (e.g., docker run <image> <command>), it will override the CMD instruction.

Building, Tagging, and Pushing Images

Once you have a Dockerfile, you can build an image from it using the docker build command:

docker build -t my-python-app:1.0 .

The -t flag tags the image with a name and a version. The . at the end of the command tells Docker to look for the Dockerfile in the current directory.

After the build is complete, you can see your new image in the list of local images:

docker images

To run the container, you use the docker run command:

docker run -p 8080:80 my-python-app:1.0

The -p flag publishes the container’s port 80 to port 8080 on the host. This is what allows you to access the application from your browser at http://localhost:8080.

Finally, to share your image with others, you can push it to a container registry like Docker Hub or a private registry. First, you need to tag the image with the registry’s address:

docker tag my-python-app:1.0 your-dockerhub-username/my-python-app:1.0

Then, you can push the image:

docker push your-dockerhub-username/my-python-app:1.0

Multi-Stage Builds for Production

For production applications, you want your images to be as small and secure as possible. This is where multi-stage builds come in. A multi-stage build allows you to use multiple FROM instructions in your Dockerfile. Each FROM instruction starts a new build stage. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t need in the final image.

Here’s an example of a multi-stage build for a Go application:

# Build stage
FROM golang:1.17-alpine AS builder

WORKDIR /app
COPY . .

RUN go build -o my-app

# Final stage
FROM alpine:latest

WORKDIR /root/
COPY --from=builder /app/my-app .

CMD ["./my-app"]

In this example, the first stage uses the golang image to build the application. The second stage uses the much smaller alpine image and copies only the compiled binary from the first stage. This results in a final image that is significantly smaller than it would be if you had built the application in the final image directly.

Hands-On: Containerizing a Simple REST API

Now it’s time to put theory into practice. We’ll build a simple REST API using Python and Flask, and then we’ll containerize it using Docker. This will be a practical, real-world example that you can run on your own machine.

The Application

Our application will be a simple API with a single endpoint that returns a JSON object. Here’s the code for app.py:

from flask import Flask, jsonify

app = Flask(__name__)

@app.route('/')
def home():
    return jsonify({'message': 'Hello, from a containerized Flask API!'})

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

We also need a requirements.txt file to specify our dependencies:

Flask==2.0.2

The Dockerfile

Now, let’s create a Dockerfile to containerize our application:

# Use an official Python runtime as a parent image
FROM python:3.9-slim

# Set the working directory in the container
WORKDIR /app

# Copy the current directory contents into the container at /app
COPY . /app

# Install any needed packages specified in requirements.txt
RUN pip install --no-cache-dir -r requirements.txt

# Make port 80 available to the world outside this container
EXPOSE 80

# Run app.py when the container launches
CMD ["python", "app.py"]

Building and Running the Container

Now, let’s build the image:

docker build -t my-flask-app:1.0 .

And run the container:

docker run -d -p 5000:80 my-flask-app:1.0

The -d flag runs the container in detached mode, so it runs in the background. The -p flag maps port 5000 on the host to port 80 in the container.

Now, you can access the API in your browser or with curl:

curl http://localhost:5000

You should see the following output:

{
  "message": "Hello, from a containerized Flask API!"
}

Development with Docker: Using Volumes

Remember Alex’s problem with the code change not being reflected? The solution is to use a volume. A volume is a way to mount a directory from the host machine into the container. This allows you to edit the code on your host machine and see the changes reflected in the container immediately, without having to rebuild the image.

To use a volume, you can use the -v flag with the docker run command:

docker run -d -p 5000:80 -v $(pwd):/app my-flask-app:1.0

Now, if you change the message in app.py and save the file, you can see the updated message by calling the API again. No rebuild required!

Debugging and Troubleshooting

Even with a simple setup, things can go wrong. Here are a few common issues you might encounter:

“Command not found” errors: If you get an error like docker: command not found, it means the Docker daemon is not running or your shell can’t find the docker executable. Make sure Docker Desktop is running.
Port conflicts: If you get an error that a port is already in use, it means another process on your host machine is using the same port. You can either stop the other process or use a different host port in the docker run command (e.g., -p 8081:80).
File not found errors inside the container: If your application can’t find a file that you’ve copied into the container, double-check the COPY instruction in your Dockerfile and make sure the paths are correct.
Permission errors: If you get permission errors when the container tries to write to a file or directory, it could be a user permission issue. You can use the USER instruction in your Dockerfile to run the container as a specific user.

Key Takeaways

Containers are a powerful way to package and run applications in isolated environments.
They are not virtual machines. They are just processes running on the host kernel, with a clever illusion of isolation provided by namespaces and cgroups.
A Dockerfile is the blueprint for building a container image.
Multi-stage builds are a great way to create small, secure production images.
Volumes are essential for an efficient development workflow with containers.

The Journey Continues

Alex felt a sense of accomplishment. The mystery of the container was beginning to unravel. It wasn’t just a black box anymore. It was a set of powerful tools that, when understood, could be used to build and ship software more efficiently and reliably. The immediate problem of the local development environment was solved, but Alex knew this was just the first step. The real challenge lay ahead: understanding how to manage not just one container, but hundreds or even thousands of them. The word “Kubernetes” loomed large, no longer a mysterious incantation but the next peak to conquer. The container odyssey had just begun.

Next up: Part 3: “Orchestration Ocean” — Diving into Kubernetes Architecture.

Series Progress 14/14 parts

0 The Container Odyssey: A Kubernetes Tutorial Series: Season 1 Complete 1 Part 1: "The New Gig" — Why Kubernetes Exists and What Problem It Solves Complete 2 Part 2: "Containers 101" — Docker Fundamentals You Actually Need for K8s Complete 3 Part 3: The First Deploy — Pods, the Atomic Unit of Kubernetes Complete 4 Part 4: "Scaling the Team" — ReplicaSets, Deployments, and Rolling Updates Complete 5 Part 5: "Opening the Doors" — Services, Networking, and Ingress Complete 6 Part 6: "The Config Puzzle" — ConfigMaps, Secrets, and Environment Management Complete 7 Part 7: "Persistent Memories" — Storage, Volumes, and StatefulSets Complete 8 Part 8: The Night Watch — Health Checks, Resource Management, and Observability Complete 9 Part 9: "The Assembly Line" — Jobs, CronJobs, and DaemonSets Complete 9 Part 9: "The Assembly Line" — Jobs, CronJobs, and DaemonSets Complete 10 Part 10: "Fortress K8s" — RBAC, Network Policies, and Security Best Practices Complete 11 Part 11: "The Helm of the Ship" — Helm, Kustomize, and Templating Complete 12 Part 12: "Production Ready" — CI/CD, GitOps, and the Road Ahead Complete