Docker: base image

Question

I am trying to understand Docker concepts but one thing I can not catch:

As I understand image (consequently - a container) can be instantiated from different linux distributives, such as Ubuntu, CentOS and others.

Let's say on host machine I run standard Ubuntu 14.04,

• What happens if I use container that is not instantiated from same distributive?
  • Not 14.04?
  • Not Ubuntu (or any other Debian-based)?
  • What disadvantages of using different base-images of images you use? (Let's say I use Image A that uses Ubuntu as a base image, Image B that used Debian as base image and Image C that uses CentOS as base image)?

Bonus question: How can I tell what base image used for an image if developer didn't specified it in a Docker hub description?

Thank you in advance!

Answer 1

Docker does not use LXC (not since Docker 0.9) but libcontainer (now runc), a built-in execution driver which manipulates namespaces, control groups, capabilities, apparmor profiles, network interfaces and firewalling rules – all in a consistent and predictable way, and without depending on LXC or any other userland package.

A docker image represents a set of files winch will run as a container in their own memory and disk and user space, while accessing the host kernel.
This differs from a VM, which does not access the host kernel but includes its own hardware/software stack through its hypervisor.
A container has just to set limits (disk, memory, cpu) in the host. An actual VM has to build an entire new host.

That docker image (group of files) can be anything, as long as:

• it does not depends on host libraries (since it is isolated in its own disk space, it does not have access to hosts files, unless volumes are mounted)
• it does only system calls: see "What is meant by shared kernel in Docker?"

That means an image can be anything: another linux distro, or even a single executable file. Any executable compile in go (https://golang.org/) for instance, could be packaged in its own docker image without any linux distro:

FROM scratch
COPY my_go_exe /
ENTRYPOINT /my_go_exe

scratch is the "empty" image, and a go executable is statically linked, so it is self-contained and only depends on system calls to the kernel.

Answer 2

The main thing shared between the host OS and docker container is the kernel. The main risk of running docker containers from different distributions/versions is that they may depend on kernel functionality not present on the host system, for example if the container expects a newer kernel than the host has installed.

In theory, the Linux kernel is backwards compatible. As long as the host kernel is newer than the container kernel it should work.

From an operational perspective, each time you start depending on a different base image that is another dependency that you need to monitor for updates and security issues. Standardizing on one distribution reduces the workload for your ops team when the next big vulnerability is discovered.

Answer 3

Docker uses LXC, which is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.

You can compare this to a VM on your machine, where you start another Linux distro, which does not have to be the same as your host OS. So it does not matter, if your host os is the same as the base image of your container.

In Docker, the container is built from layers. Each step (command) in your Dockerfile represent one layer, which are applied one after the other. The first step ist to apply the base OS layer, which is indicated by FROM.

So to answer your bonus question, you can have a look inside the Dockerfile of the container you're using (it's the third tab on DockerHub) and see in the first statement, which is the base image (os).