Docker exec without Docker

What if you could `exec` into a container without the Docker daemon? This talk reveals the Linux kernel features that make it possible.

#1about 1 minute

Understanding how the docker exec command really works

The talk explores what happens under the hood when you run `docker exec` and demonstrates how to achieve the same result without using Docker.

#2about 1 minute

Deconstructing the Docker stack to its Linux primitives

Docker is built on top of lower-level components like containerD and runC, which ultimately rely on core Linux kernel features like Cgroups and namespaces.

#3about 3 minutes

Limiting container resources using Linux Cgroups

Cgroups are a Linux kernel feature used to limit and account for resource usage, such as CPU, memory, process IDs, and I/O for a collection of processes.

#4about 4 minutes

A live demo of limiting process CPU with Cgroups

A practical demonstration shows how to create a new Cgroup, define a CPU usage limit in the `cpu.max` file, and assign a running process to it.

#5about 6 minutes

Isolating processes from each other using Linux namespaces

Namespaces provide process isolation by virtualizing system resources like network interfaces, mount points, process IDs, and user IDs for each container.

#6about 9 minutes

Replicating `docker exec` with the `nsenter` command

By finding a container's process ID on the host, you can use the `nsenter` command to enter all of its namespaces and gain a shell inside the container without using Docker.

#7about 3 minutes

Key takeaways and advice for deeper technical understanding

A summary of how Cgroups and namespaces power containers is followed by advice for developers to dig deeper into technologies, focus on one topic at a time, and share their knowledge.