Skip to content
GitHub

Container Primitives

The Linux features that make containers possible.

Overview

Section titled “Overview”

Containers aren’t magic—they’re built on Linux kernel features that have existed for years. This section demystifies container technology by teaching you the primitives: namespaces, cgroups, capabilities, and union filesystems.

After this section, you’ll understand that a “container” is just a process with:

  • Namespaces — Isolated view of system resources
  • Cgroups — Resource limits (CPU, memory)
  • Capabilities — Fine-grained privileges
  • Union filesystem — Layered filesystem (image + container layer)

Modules

Section titled “Modules”
#ModuleDescriptionTime
2.1Linux NamespacesPID, network, mount, UTS, user isolation30-35 min
2.2Control GroupsCPU/memory limits, v1 vs v2, systemd integration30-35 min
2.3Capabilities & LSMsCAP_*, AppArmor, SELinux, seccomp overview25-30 min
2.4Union FilesystemsOverlayFS, layers, storage drivers25-30 min

Why This Section Matters

Section titled “Why This Section Matters”

Understanding container primitives lets you:

  • Debug container issues — Is it a namespace issue? A cgroup limit? Missing capabilities?
  • Write secure containers — Know which capabilities to drop, which syscalls to block
  • Optimize images — Understand layers and copy-on-write
  • Understand Kubernetes — Pod security, resource requests/limits, storage

Prerequisites

Section titled “Prerequisites”

Key Takeaways

Section titled “Key Takeaways”

After completing this section, you’ll understand:

  1. How namespaces create isolated environments (the “container” illusion)
  2. How cgroups enforce resource limits (what happens when memory is exceeded)
  3. Why containers don’t need root (capabilities breakdown)
  4. How container images share layers efficiently (OverlayFS)
Section titled “Related Sections”