A powerful team!

Deep Dive into (Docker) Containers for Node.js Engineers

Are you a Node developer who has no clue how Docker containers work ?

Well, we will change that in this article.

Note: we use Linux here. Use Windows at your own peril…on a more serious note, if you are required to use Windows, install VirtualBox and run a Ubuntu virtual machine (VM) (on Windows 10 or above, use WSL…whatever that is).

Most likely, your Node servers will run on Linux machines in production so get familiar with developing on Linux machines. Most tools for containerization run (only) on Linux operating systems.

I will assume you have never used containers in your life and start by building containers without Docker, yes, Docker did not invent containers.

Creating containers without Docker

Here, we will talk about processes running on your machine. Processes should be kind of familiar to you as a Node developer because your app are running in processes.

When you do

a Node.js process is launched on your machine and your app runs inside that process. That’s all you need to know about processes for now.

By the way, if you don’t know, Node.js can do multi-processing and multi-threading. For more on that topic, look into the child_process, cluster and worker_threads native Node.js modules.

So what is a container ?

Containers give us many of the security and resource-management features of VMs but without the cost of having to run a whole other operating system.

It instead uses chroot, namespace, and cgroup to separate a group of processes from each other. You will have a look at all these Linux concepts in a minute.

Containerization is all about segregation of resources.

In order to restrict access to specific resources based on the process accessing them, we need isolation of resources (data) based on the process

Now, let’s create a Linux container.

  • create a new folder in your home directory by running the following command:

We want to run a Bash process that has this new_root folder as its root directory. Bash is a modern command processor — the main one on most Linux machines. FYI, the default root directory is “/” on Linux operating systems.

We will need the dependencies of the bash executable to run bash in our new_root root folder. We can see the dependencies of a program by running the following command:

It will print:

We will need to copy these dependencies in our new_root folder:

You don’t need to copy the dependencies without a fully qualified path like linux-vdso.so.1 because these are dependencies provided by the Linux kernel. The kernel VDSO is a collection of kernel functions. The kernel is basically the core of Linux operating systems.

The “vDSO” (virtual dynamic shared object) is a small shared library
that the kernel automatically maps. I will not go further into Linux theory, check the Linux Programmer’s Manual for that.

Now we can run bash with new_root as root directory:

chroot is a command that changes the apparent root directory for the current running process and its children.

Here, the running process will be bash. We can say that chroot allows us to jail processes by limiting their access to the filesystem by setting the root to a specific folder, meaning that other same-level or above folders will not be seen by that process.

We will then enter a bash shell but you cannot do much in it because it is bare metal without all the tools that come with Linux operating systems. Only the tools included in bash are available like pwd (to print current directory path).

Now, let’s intsall the ls tool to list files in directories. It is the same procedure as when we installed bash in the new_root directory ie. copy the executable and its dependencies.

As an exercice, you can make the cat command run in the container. As you may have noticed, bash and ls share libraries in common. To import cat, you will just need to copy the executable.

Hey, what a second, how about running Node inside that chroot environment (a.k.a chroot jail) ?

Congratulations, you have created your first jailed process a.k.a container with Node inside it.

This container has restricted access only to what’s inside the new_root folder.

Namespacing

##### WORK IN PROGRESS #####

################# END #################

Want more on #JavaScript #NodeJS #MongoDB #Go #DevOps #Python ?

Read on here:

Still learning

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store