Containerization — System Design Space

Source

Containerization

Definition of containerization and key principles.

Containerization is virtualization at the OS level: applications are isolated but share the host kernel. This makes containers lightweight, fast, and easy to scale.

How containerization works

Namespaces isolate processes, network, file system and users.
Cgroups limit and allocate CPU, memory, I/O and number of processes.
Union/overlay FS provides layers of images and fast launch of containers.
Container runtime manages the life cycle of containers (create/start/stop).
Registry and images allow you to transfer applications between environments.

Host machine (Linux)

Physical resources

CPURAMDiskNIC

Container runtime

Runtime manages namespaces and cgroups, starts containers, and enforces resource limits.

Containers inside host

Isolation via namespaces + cgroups

Container A

Nginx
App

CPU: 2 coresRAM: 512MBIO: limited

Container B

Worker
Queue

CPU: 1 coreRAM: 256MBIO: limited

Container C

DB
Backup

CPU: 2 coresRAM: 1GBIO: priority

Layered filesystem (overlay)

Base imageRuntime layerApp layerWritable layer

Cgroups & limits

They control CPU, memory, and I/O per container, preventing one process from consuming all resources.

Shared kernel

All containers share the host kernel, so containerization is lighter and faster than VMs, but needs a compatible kernel.

Layered file system

Container images are built from several layers, and the container adds its own writable layer.

Base layer: minimal OS image or runtime.
Intermediate layers: dependencies, libraries, configurations.
Top layer: application and its files.
Writable layer: changes at the level of a specific container.

This approach speeds up the build and deployment: the general layer can be reused, and changes affect only the upper layers.

Groups and limits

CPU limits: quotas/shares for container processes.
Memory limits: hard limits and OOM-killer.
IO limits: control of disk operations.
PIDs limits: limit the number of processes.

Containers vs virtual machines

Containers

They share the host core, so they start quickly.
Less overhead and higher density.
Requires a compatible kernel and shares it with other containers.

Virtual machines

Each VM has its own guest OS.
Higher insulation, but higher overhead.
Suitable for different OS and strict security boundaries.

Request path to nginx inside the container

The request path is similar to virtual machines, but without a separate hypervisor - the container uses the host kernel.

Request path to nginx in a container

Request path: internet → host → runtime → container

External

Layer 1

ClientInternet

Host Linux

Layer 2

NICKernel network

Container runtime

Layer 3

Bridge/NATNamespaces

Container

Layer 4

NginxApp

Service

Layer 5

HTTP handlerBusiness logic

Request path

Active step

Click "Start" to walk through the request path.

Why is this important for systems design?

Containers speed up delivery and simplify environments (dev/test/prod).
Understanding cgroups helps you set limits and avoid noisy neighbors.
The container network model affects latency and security rules.
Containers have become the basic unit of deployment in Kubernetes and the cloud.