Phase 7: Containers
Containers aren't magic and they're not VMs. They're regular Linux processes running with a carefully constrained view of the system: isolated namespaces, resource-limited cgroups, reduced capabilities, and a layered filesystem. Understanding these primitives means you'll never be confused by a container issue again.
What You'll Learn
1. Linux Namespaces
The 7 namespace types that give containers their isolated view of the system.
Intermediate2. cgroups
How Linux limits CPU, memory, and I/O for containers and processes.
Intermediate3. cgroup Controllers
Deep dive into cpu, memory, blkio, and other cgroup v2 controllers.
Advanced4. chroot & pivot_root
The filesystem isolation primitive — and why chroot alone isn't secure.
Intermediate5. Linux Capabilities
How root privileges are split into fine-grained capabilities for containers.
Advanced6. seccomp
System call filtering — how containers block dangerous syscalls.
Advanced7. Docker Internals
What Docker actually does: which syscalls, which namespaces, what runc does.
Intermediate8. OverlayFS
How Docker layers images — the copy-on-write filesystem explained.
IntermediateFrequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.