dotlinux blog

LFCA: Learn the Basic Concepts of Using Containers

In today’s fast-paced IT landscape, containers have emerged as a cornerstone of modern software development and deployment. They enable developers and system administrators to package applications and their dependencies into standardized, portable units, ensuring consistency across environments—from development laptops to production servers. For anyone pursuing the Linux Foundation Certified IT Associate (LFCA) certification, understanding containers is not just a skill but a necessity.

This blog will demystify container technology, starting with core concepts, how containers work under the hood, essential tools, and practical operations. Whether you’re new to IT or looking to solidify your foundational knowledge, this guide will equip you with the basics needed to ace the LFCA exam and thrive in real-world scenarios.

2026-04

Table of Contents#

  1. What Are Containers?
  2. Why Containers Matter: Key Benefits
  3. How Containers Work: Under the Hood
  4. Key Container Technologies
  5. Basic Container Operations: Hands-On Examples
  6. Container Images and Registries
  7. Container Orchestration: The Basics
  8. Security Best Practices for Containers
  9. Conclusion
  10. References

1. What Are Containers?#

A container is a lightweight, standalone, and executable package that bundles an application with all its dependencies—libraries, configuration files, runtime, and tools—required to run it. Unlike traditional virtual machines (VMs), containers do not include a full operating system (OS). Instead, they share the host OS’s kernel, making them significantly more efficient and portable.

Containers vs. Virtual Machines (VMs):#

FeatureContainersVirtual Machines
OS OverheadShare host OS kernel; no guest OSInclude full guest OS
SizeMBs (small)GBs (large)
Startup TimeSecondsMinutes
IsolationProcess-level isolation (via namespaces)Full OS-level isolation (via hypervisor)
PortabilityHighly portable (run anywhere)Less portable (tied to hypervisor)

2. Why Containers Matter: Key Benefits#

Containers have revolutionized software development and operations (DevOps) for several reasons:

  • Consistency: Eliminates the "it works on my machine" problem by ensuring applications run the same way across environments (dev, test, prod).
  • Efficiency: Containers are lightweight, so they use fewer resources (CPU, memory, storage) than VMs, allowing more applications to run on the same hardware.
  • Speed: Containers start in seconds, accelerating deployment and scaling.
  • Scalability: Easily replicate containers to handle increased load (e.g., during traffic spikes).
  • Isolation: Applications run in isolated environments, preventing conflicts between dependencies.

3. How Containers Work: Under the Hood#

Containers rely on two core Linux kernel features to function: namespaces and control groups (cgroups).

Namespaces: Isolation at the Process Level#

Namespaces partition the OS kernel resources, ensuring containers cannot see or interfere with each other. Key namespaces include:

  • PID Namespace: Isolates process IDs (PIDs), so each container has its own process tree.
  • Network Namespace: Creates isolated network stacks (IP addresses, ports, routing tables) for each container.
  • Mount Namespace: Isolates the file system mount points, so containers have their own view of the file system.
  • User Namespace: Maps user IDs (UIDs) inside the container to different UIDs on the host, enhancing security.

Control Groups (cgroups): Resource Limiting#

Cgroups restrict the amount of CPU, memory, disk I/O, and network bandwidth a container can use. This prevents a single container from monopolizing host resources, ensuring fair resource allocation.

4. Key Container Technologies#

Several tools and platforms power containerization. Here are the most critical ones for LFCA candidates:

Docker#

Docker is the most popular container platform, simplifying container creation, distribution, and management. It includes:

  • Docker Engine: The runtime that creates and runs containers.
  • Docker CLI: A command-line tool to interact with Docker Engine (e.g., docker run, docker build).
  • Docker Compose: A tool for defining and running multi-container applications (e.g., a web app + database).

Containerd#

Containerd is a lightweight, industry-standard container runtime. Originally part of Docker, it was spun off as an independent project and is now the default runtime for Kubernetes. It handles image management, container lifecycle, and low-level runtime operations.

Kubernetes (K8s)#

Kubernetes is an open-source container orchestration platform. While LFCA focuses on basics, understanding its role is critical: it automates container deployment, scaling, and management across clusters of servers. Key concepts include pods (smallest deployable units), nodes (worker machines), and the control plane (manages the cluster).

5. Basic Container Operations: Hands-On Examples#

Let’s dive into practical Docker commands you’ll need to master for LFCA.

Prerequisites: Install Docker#

First, install Docker on your Linux system (e.g., Ubuntu):

# Update package index  
sudo apt update  
 
# Install Docker dependencies  
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common  
 
# Add Docker GPG key  
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -  
 
# Add Docker repository  
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"  
 
# Install Docker Engine  
sudo apt update && sudo apt install -y docker-ce  
 
# Verify installation (runs a test container)  
sudo docker run hello-world

Key Docker Commands#

1. Pull an Image from a Registry#

Images are read-only templates used to create containers. Pull an image (e.g., Nginx, a web server) from Docker Hub:

sudo docker pull nginx:latest  # "latest" is the image tag (version)

2. Run a Container#

Start a container from an image. Use -d to run in detached mode (background), -p to map host ports to container ports, and --name to assign a name:

sudo docker run -d -p 8080:80 --name my-nginx nginx:latest
  • -d: Detached mode (container runs in the background).
  • -p 8080:80: Maps host port 8080 to container port 80 (Nginx’s default port).
  • --name my-nginx: Names the container my-nginx for easy reference.

3. List Running Containers#

Check active containers:

sudo docker ps  # Lists running containers  
sudo docker ps -a  # Lists all containers (running and stopped)

4. Stop and Start a Container#

sudo docker stop my-nginx  # Stops the container  
sudo docker start my-nginx  # Restarts the container

5. Remove a Container#

sudo docker rm my-nginx  # Remove a stopped container  
sudo docker rm -f my-nginx  # Force-remove a running container

6. List Local Images#

sudo docker images  # Shows all images on your system

7. Remove an Image#

sudo docker rmi nginx:latest  # Remove an image (must first remove containers using it)

6. Container Images and Registries#

What Are Container Images?#

Images are the blueprint for containers. They are built from Dockerfiles (text files with instructions to build the image) and consist of read-only layers. Each layer represents a change (e.g., installing a package, adding files). Layers are cached, making image builds faster.

Example Dockerfile#

Create a simple Dockerfile to build a Python image:

# Use an official Python runtime as the base image  
FROM python:3.9-slim  
 
# Set the working directory in the container  
WORKDIR /app  
 
# Copy the current directory contents into the container at /app  
COPY . /app  
 
# Install dependencies  
RUN pip install --no-cache-dir -r requirements.txt  
 
# Define the command to run when the container starts  
CMD ["python", "app.py"]

Build the image with:

sudo docker build -t my-python-app:1.0 .

Registries: Where Images Live#

Registries are repositories for container images. The most popular public registry is Docker Hub, but organizations often use private registries (e.g., AWS ECR, Google Container Registry) for security.

  • Pull an image from Docker Hub: docker pull [image]:[tag] (e.g., docker pull ubuntu:22.04).
  • Push an image to a registry: First tag it with the registry URL, then push: 
    sudo docker tag my-python-app:1.0 username/my-python-app:1.0  
sudo docker push username/my-python-app:1.0

7. Container Orchestration: The Basics#

As applications grow, managing hundreds of containers manually becomes impractical. Orchestration tools automate deployment, scaling, and monitoring of containers.

Kubernetes (K8s) Fundamentals#

Kubernetes is the de facto orchestration standard. Key concepts for LFCA:

  • Pod: The smallest deployable unit in Kubernetes. A pod contains one or more containers that share resources (network, storage).
  • Node: A worker machine (physical or virtual) that runs pods.
  • Control Plane: Manages the cluster (e.g., scheduling pods, monitoring health).
  • Deployment: A Kubernetes object that defines how to run and scale pods (e.g., "run 3 replicas of my app").

Example: A simple Kubernetes deployment YAML file (deployment.yaml):

apiVersion: apps/v1  
kind: Deployment  
metadata:  
  name: nginx-deployment  
spec:  
  replicas: 3  # Run 3 pod replicas  
  selector:  
    matchLabels:  
      app: nginx  
  template:  
    metadata:  
      labels:  
        app: nginx  
    spec:  
      containers:  
      - name: nginx  
        image: nginx:latest  
        ports:  
        - containerPort: 80

Apply the deployment with:

kubectl apply -f deployment.yaml

8. Security Best Practices for Containers#

Containers introduce unique security risks. Follow these best practices:

  • Run Containers as Non-Root: Avoid running containers as the root user. Define a non-root user in your Dockerfile: 
    RUN useradd -m appuser  
USER appuser
  • Use Minimal Base Images: Choose lightweight images (e.g., alpine instead of full ubuntu) to reduce attack surface.
  • Scan Images for Vulnerabilities: Tools like Trivy or Clair scan images for known vulnerabilities. 
    trivy image nginx:latest
  • Limit Container Capabilities: Restrict kernel capabilities (e.g., --cap-drop=ALL in Docker) to minimize privileges.
  • Use Network Policies: In Kubernetes, define network policies to control traffic between pods.

9. Conclusion#

Containers are a foundational technology in modern IT, and mastering their basics is essential for the LFCA certification. In this guide, we covered what containers are, how they work, key tools like Docker and Kubernetes, practical operations, and security best practices.

To solidify your skills, practice running containers, building images from Dockerfiles, and exploring basic Kubernetes commands. The LFCA exam will test your understanding of these concepts, so hands-on experience is key.

10. References#