If you’ve ever heard developers mumble “it works on my machine” while staring sadly at a broken production app,
congratulations: you’ve met the origin story of containers. Container basics are all about avoiding
that chaos by packing your application and everything it needs into neat, portable boxes that behave the same almost
everywhere.

In this guide, we’ll break down what a software container is, how it’s different from a virtual machine, what Docker
and Kubernetes have to do with all of this, and how you can start playing with containers without turning your
laptop into a very expensive paperweight.

What Is a Container, Really?

A software container is a standardized unit of software that bundles your application code together
with its runtime, libraries, configuration files, and other dependencies into one self-contained package. The
container runs as an isolated process on a host operating system, sharing the host’s kernel instead of booting its
own full OS like a virtual machine does.

Think of it like moving house. You could throw your stuff loose into the truck, or you could pack it into labeled,
stackable boxes. Containers are those boxes for software: labeled, consistent, and much easier to move than a pile
of random objects sliding around the truck.

The key properties of containers are:

• Isolation: Processes inside a container can’t casually see or interfere with processes outside it.
• Portability: If a container image runs on your laptop, it can run on a server or in the cloud with minimal changes.
• Reproducibility: The same image always starts from the same state, which is great for debugging and CI/CD.
• Efficiency: Containers share the host kernel, so you can run many of them with less overhead than lots of full VMs.

Containers vs. Virtual Machines

Containers and virtual machines (VMs) both isolate workloads, but they do it in different ways:

• VMs emulate an entire hardware stack and run their own guest operating system. Every VM might have
  its own full Linux or Windows installation.
• Containers run on top of the host OS and share the host kernel. Each container only brings the user-space
  bits it actually needs: binaries, libraries, configs, and app code.

Because they skip the guest OS, containers are usually:

• Faster to start (milliseconds to seconds instead of minutes).
• Lighter on CPU and memory.
• Easier to pack densely on the same hardware.

That doesn’t mean VMs are obsolete. They’re still great for strong isolation, legacy workloads, or when you need a
completely different OS. In practice, many modern setups run containers inside VMs in the cloud: VMs give
isolation at the infrastructure layer, containers handle app-level packaging and deployment.

Under the Hood: How Containers Actually Work

Containers feel magical, but under the hood they rely on very real Linux kernel features:

Namespaces: “You Live in Your Own Little World”

Linux namespaces give each container its own view of system resources. There are namespaces for things like process
IDs, network interfaces, mounted filesystems, and hostnames. Processes inside a container see their own process tree,
network stack, and so on, rather than the host’s global view.

cgroups: “You Get This Much, No More”

Control groups, or cgroups, limit and account for resource usage. They can cap CPU, memory, I/O, and
more, preventing one runaway container from hogging everything and leaving the rest of your system gasping for air.

Union / Overlay Filesystems: Layers on Layers

Container images use layered filesystems such as OverlayFS. A base image provides common files (for example,
ubuntu:22.04), and each subsequent changeinstalling a package, copying your codeis stored as a new
read-only layer. When you run a container, the runtime adds a thin writable layer on top. This layered design saves
disk space and speeds up builds.

Images: Blueprints for Containers

A container image is like a blueprint or snapshot used to create containers. The image includes the
filesystem layers plus metadata: environment variables, default commands, and configuration. Container runtimes use
these images as the template for each running container.

The Open Container Initiative (OCI) defines a standard format for container images and runtimes, so
the same image can work with multiple tools (Docker, containerd, CRI-O, and others).

At a high level, an OCI image contains:

• An image manifest that lists layers and configuration.
• A set of filesystem layers with the actual files.
• Optional indexes for multi-architecture images (for example, AMD64 vs ARM).

Docker: The Popular Starting Point

While containers as a concept predate Docker, Docker made them accessible to everyday developers. Using Docker, you
work with a few core objects: images, containers, networks, and
volumes.

A Simple Docker Workflow

1. Write a Dockerfile. This text file describes how to build your image: base image, commands, and configuration.
2. Build the image. Use docker build -t myapp:latest . to create a new image.
3. Run a container. Use docker run --rm -p 8080:80 myapp:latest to start your app.
4. Inspect and debug. docker logs, docker exec, and friends help you peek inside.
5. Ship it. Push the image to a registry (Docker Hub, ECR, GCR, etc.), then pull it on servers.

Volumes: Keeping Your Data Alive

By default, if you delete a container, any data written inside its writable layer disappears with it. That’s not
great for databases or logs you actually care about. Docker volumes solve this by providing
persistent storage managed outside the container’s lifecycle.

You can:

• Create a volume with docker volume create mydata.
• Attach it to a container with -v mydata:/var/lib/app.
• Reuse that volume across multiple containers.

Networking: Letting Containers Talk

Containers need to talk to each other and to the outside world. Docker networks provide virtual networks where
containers get IP addresses and can resolve each other by name. By default, containers can make outgoing connections
and can be attached to user-defined bridge networks for internal communication.

For example, you might run a web container and a database container on the same Docker network so they can talk via
db:5432 instead of hardcoding IP addresses.

Kubernetes: Containers at Scale

Docker is great on a single machine. Once you have dozens or hundreds of containers across multiple servers,
you need an orchestrator. That’s where Kubernetes comes in.

Kubernetes introduces concepts like:

• Pods: The smallest deployable unit in Kubernetes, usually wrapping one main container plus optional helpers.
• Nodes: The worker machines (VMs or physical) that run your pods.
• Deployments: Higher-level objects that manage replica counts, rolling updates, and self-healing.
• Services: Stable virtual IPs and DNS names that route traffic to groups of pods.

In Kubernetes, pods act as a management layer around containers: they define shared storage, networking, and how
containers inside the pod work together. Kubernetes uses controllers to ensure the actual state matches the desired
state: if a pod crashes, it automatically spins up a replacement.

When Containers Shine (and When They Don’t)

Containers are especially good for:

• Microservices: Each service gets its own container, with its own dependencies.
• CI/CD pipelines: Build once, ship the same image through testing and production.
• Data science and tooling: Package Jupyter, Python libraries, and system dependencies in one reproducible environment.
• Infrastructure standardization: Enforce common base images and security baselines across teams.

They’re less ideal for:

• Heavy desktop applications that expect direct access to hardware and a full GUI stack.
• Workloads that need exotic kernel modules or OS customizations that don’t match the host.
• Teams that aren’t ready to adopt the operational complexity of registries, orchestration, and security scanning.

Containers don’t magically fix bad architecture. A monolith in a container is still a monolithjust a monolith that
starts faster.

Getting Started: A Short, Practical Plan

If you want to learn container basics without reading a 400-page manual, try this quick path:

1. Install Docker Desktop (or a similar runtime) for your OS.
2. Run a simple container: docker run --rm hello-world.
3. Run a web server: docker run --rm -p 8080:80 nginx and open http://localhost:8080.
4. Write a tiny Dockerfile for a “Hello World” web app in the language of your choice.
5. Push your image to a registry (even a private one) to understand the full lifecycle.

Once that feels comfortable, you can graduate to Kubernetes tutorials and try deploying the same container to a
small cluster, even a local one like kind or minikube.

Real-World Experiences with Container Basics

Theory is nice, but containers really start making sense when you see what happens in real projects. Here are some
experience-based lessons that tend to repeat across teams.

From “It Works on My Machine” to “It Works Everywhere”

Imagine a small team building a web API. On Alice’s laptop, everything compiles and runs perfectly. On Bob’s
machine, tests fail because his Node.js version is different. In staging, the app crashes because one tiny system
library is missing. Everyone is frustrated, and nobody wants to upgrade anything ever again.

The team switches to containers. They define a clear Dockerfile: base image, exact runtime version, dependencies,
and build steps. Now, when someone says, “just run the container,” it actually works: same runtime, same libraries,
same configuration on every machine. Local development, CI, staging, and production are finally speaking the same
language.

The First “Oops, My Image Is 3 GB” Moment

Another common experience: the first Docker image you build is huge. You might start from a full-fat base image,
install half the universe of packages, copy your build tools inside, and never clean them up. The result is a giant
multi-gigabyte image that takes forever to pull in CI and makes your cluster nodes cry.

The fix comes with experience:

• Use smaller base images (for example, alpine or language-specific slim variants).
• Use multi-stage builds: build tools in one stage, copy only the final artifacts into a minimal runtime image.
• Regularly run tools that show you image size by layer so you can spot what’s bloating your image.

After a few rounds of optimization, teams often cut image sizes by 50–80%, which speeds up deployments and reduces
registry storage costs.

Networking Surprises and “Why Can’t This Container See That One?”

Networking is another area where real-world usage teaches fast. New users sometimes assume that because two
containers are running on the same host, they can automatically talk to each other. Then they wonder why connections
keep timing out.

The “aha” moment comes when they realize:

• Containers need to be on the same Docker network or connected via a service in Kubernetes.
• Host firewalls, security groups, and service meshes can all affect connectivity.
• DNS names inside containers (like db or redis) are resolved by the container platform, not by magic.

Once those basics click, people start designing networks intentionally, instead of hoping that containers will just
guess the right ports by sheer enthusiasm.

Stateful Apps: Yes, You Can, But Be Careful

At some point, a team decides to containerize a database or a stateful app. This is where container basics collide
with the reality of persistent data. Running a database in a container can work, but it teaches important lessons:

• You must put data on durable volumes, not inside the container’s ephemeral writable layer.
• You need a backup and restore strategy that doesn’t assume “the container never dies.”
• Upgrades and migrations require consideration of both the container lifecycle and the data lifecycle.

These experiences often push teams toward managed database services for critical data, while keeping containers for
stateless app logic.

Security and the “Everything as Root” Phase

Early container setups frequently run everything as root inside the container because it’s easy and things “just
work.” Over time, security reviews and audits start asking hard questions. That’s when teams learn to:

• Run containers as non-root users when possible.
• Use minimal base images to shrink the attack surface.
• Scan images for known vulnerabilities and rebuild regularly.

These are not advanced tricksthey’re part of container basics that you appreciate more after your first penetration
test report or compliance review.

Wrapping It Up: Containers Without the Jargon

At their core, containers are just isolated processes running from a standardized package (the image), with clever
use of kernel features, layered filesystems, and tooling like Docker and Kubernetes. They don’t solve every problem,
but they do make it far easier to ship consistent, reproducible applications across environments.

If you remember only a few things from this tour of container basics, let it be these:

• Containers package your app and its dependencies into a portable, reproducible unit.
• They’re lighter than VMs because they share the host OS kernel.
• Images, volumes, and networks are the main building blocks you’ll use daily.
• Kubernetes builds on containers to run them reliably at scale.
• Real-world experiencesuccesses and mistakesis the fastest teacher.

Start small, experiment locally, and don’t worry if your first container image is a bit of a mess. Everyone’s was.
With a few iterations, you’ll move from “what is this thing?” to “of course we ship that in containers” faster than
you expect.

The post Container Basics appeared first on Global Travel Notes.