Is docker really a process?

Question

As we kown, docker contaienr is a process using cgroup and namespace.

But normally we can use docker exec -it docker-id bash to enter the container and get a bash

bash, as a shell, should be a independent process.
Thus we get two processes, which are original process like nginx, and bash

So,in my eyes, docker contaienr is more like a set of process.
Could anyone offer some help?

Answer 1

Linux itself doesn't have a formal container object in the kernel, so as you've seen, it's a concept made up of namespaces and cgroups. These are applied to a process running in the kernel, making a container a very different construct than a virtual machine that runs it's own kernel, init, daemons, etc.

Typically we say a container is a process to differentiate from people that think of a container as a lightweight VM and try to cram in multiple distinct applications into a single container. This tends to be a bad idea since management of containers is not designed for that task.

As you've seen, it is possible to run multiple processes with the same namespaces and cgroups. This is also what happens when you fork a child process in the container, it inherits the parents namespaces and cgroups. However a key distinction from saying it's a set of processes is the behavior of pid 1 inside the container. Once this pid exits, the container is destroyed, killing all other processes in that pid namespace.