1. Overview
Process isolation is an important aspect of the Linux operating system. Specifically, it allows multiple processes to run on a single real machine without the risk of interference between them. Additionally, the process isolation mechanism in the Linux operating system brings these benefits without the typical cost incurred by virtual machines.
The chroot command in Linux and the Docker software are commonly known for their capability to isolate processes within the same operating system. In this tutorial, we’ll learn the difference between the chroot command and the Docker software.
2. The chroot Command
The chroot command is a Linux command that changes the running process’ root directory. It has existed since 1979, in the early days of the Unix-like operating system. The main objective of the command is to isolate the filesystem between different processes. The isolated environment created by the chroot command is commonly known as a jail.
Assuming the /opt/fake-root directory has been initialized as a proper jail, we can run chroot on a new process and set the /opt/fake-root as its root directory:
$ sudo chroot /opt/fake-root /bin/bash
The command above launches a new process that runs the /bin/bash binary. Notably, the new process’s root directory is now /opt/fake-root. Consequently, its activity on the filesystem is limited to the /opt/fake-root directory.
3. Docker
Docker is a containerization technology that provides virtualization on the operating system (OS) level. Many components in the Docker software suites work together to provide the containerization mechanism.
Firstly, the Docker container components in the Docker software provide an isolated environment for a running process, similar to the chroot‘s jail. This makes it possible to run many different workloads on the same host that might have conflicting dependencies.
Besides that, the Docker image serves as the template containing the instructions for creating a Docker container. We generally build the Docker image from a Dockerfile. A Dockerfile contains step-by-step instructions for building up a container. Here’s an example of a Dockerfile that builds a Docker image:
$ cat Dockerfile
FROM alpine:latest
CMD ["echo", "Hello world"]
The Dockerfile extends from the base image, alpine, with the latest tag. The CMD directive specifies the command to run when the container starts. In our case, the container will start and print “Hello world” to the console.
4. Difference Between chroot and Docker
Superficially, the chroot command and Docker software provide a form of isolation between processes on the same OS instance. However, there are more differences between the chroot command and the Docker software than similarities.
In the subsequent sections, we’ll highlight the difference between the chroot command and Docker container by comparing several aspects.
4.1. Scope of the Software
The chroot is a standalone binary that does one thing: changes the apparent root directory of a process. The chroot command does not offer management commands, such as getting a list of jailed processes.
On the other hand, the Docker software suite is a comprehensive containerization platform. In addition to process isolation and virtualization, the docker command in the Docker software suites simplifies the creation and usage of a container. For example, the docker ps is a command that we can use to list the currently running containers:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7f06453c2cab kindest/node:v1.29.1 "/usr/local/bin/entr…" 6 weeks ago Up 7 days 127.0.0.1:54170->6443/tcp kind-control-plane
084a35380563 postgres:16.1 "docker-entrypoint.s…" 2 months ago Up 2 days 0.0.0.0:5432->5432/tcp quant_data_download_pg
87be3ef80b11 ubuntu:latest "sleep infinity" 4 months ago Up 49 minutes ubuntu
Besides that, we can run a Docker container using the docker run command:
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:a26bff933ddc26d5cdf7faa98b4ae1e3ec20c4985e6f87ac0973052224d24302
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
...
To clean up the container, we can perform a docker rm on the stopped containers:
$ docker rm amazing_elbakyan
amazing_elbakyan
In summary, the chroot command is a relatively simple program compared to the Docker software.
4.2. Portable and Reusable Copy of Container
The concept of the Docker image is critical in the widespread adoption of the container technology. Once created, a Docker image becomes a portable artifact that can be easily shared with others. The Docker image can then reproduce the same copy of the container as the Docker image builder intended. This greatly reduces the friction of distributing applications due to the nuanced differences in the environments. Many popular software including PostgreSQL, Redis, and Nginx, have been distributed in the Docker image format.
Besides that, the reusability and extensibility of a Docker container also greatly reduces the learning curve of the technology. When a beginner starts, they can play around with an existing Docker image to see how it works. Then, incrementally build on top of an existing image. Without the Docker image, the learning curve would be much steeper as we’ll need to start building the container from scratch.
On the other hand, the chroot environment lacks the same level of reusability and distribution capabilities. When we create an isolated environment using the chroot command, it’s typically specific for a particular use case. Besides that, the lack of standardization of the chroot environment makes it difficult to distribute and share across a wider audience group.
4.3. Usage of Linux Namespaces
Another huge difference between the chroot and the Docker container is their isolation mechanism. The chroot command isolates the filesystem by “changing an ingredient in the pathname resolution process and does nothing else”, as per its man page.
In contrast, Docker utilizes the Linux namespace mechanism to provide isolation on various OS-level components. Among the namespaces are the process ID (PID), the network stack, and the user IDs. This means different containers on the same host get their isolated view of PIDs, network stacks, and UID.
Importantly, we can restrict the compute resources for the containers using the control group (cgroups) namespaces. On the other hand, the chroot does not have any option to restrict the compute resource usage.
For example, we can place an upper bound on the CPU and RAM consumption using the –cpus and –memory options, respectively:
$ docker run --cpus 1 --memory 256m ubuntu
The command above restricts the CPU to one core and the RAM to 256MB. The process inside the container cannot use more than the limit we’ve placed.
5. Conclusion
In this tutorial, we’ve briefly learned about the chroot command and the Docker software suite. We’ve then highlighted the difference between the two commands in the different aspects. For example, the Docker software suites cover a much larger scope than the chroot command. Besides that, we’ve learned that the Docker makes it easy to reuse containers using the Docker image construct. Finally, we’ve learned that under the hood, both use vastly different mechanisms to achieve isolation.