Issue link: https://insights.oneneck.com/i/1293607
30 Containers For Dummies, HPE and Docker Special Edition These materials are © 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. The Registry A registry is a centralized repository that holds Docker images. Administrators can deploy their own private registry service, which operates in a highly scalable way. If you want to fully control where your images are stored or tightly integrate images into your local development processes, consider deploying a private registry, such as Docker Trusted Registry. Docker Trusted Registry is an enterprise-class contain- erized application that provides fine-grained access control, and security and compliance capabilities. Under the hood Let's lift the hood a bit and take a peek at the main items that comprise a Docker deployment. Namespaces The Docker Engine leverages multiple kernel namespaces, with each namespace controlling specific functions inside that image or container. A namespace is used to isolate certain OS func- tionality to limit the scope of access. The end result is that a namespace imbues processes with their very own view of under- lying resources. Docker uses namespaces to separately manage process trees and isolation, file system mounts, interprocess communication (IPC) resources, networking, hostnames, and user access. Namespaces can also limit what a container can see. Control groups Whereas namespaces limit what a container can see, control groups (cgroups, for short) are used to allocate resources, includ- ing RAM, CPU, storage I/O, network I/O, and more. For example using a cgroup, you can limit a process to just a single CPU core, which would prevent it from consuming additional processing resources that could impact other workloads. By using cgroups, the Docker Engine can dictate to a container what resources a container can use and how much of that resource it can use.