How Container Filesystem Works: Building a Docker-Like Container From Scratch
Posted4 months agoActive4 months ago
labs.iximiuz.comTechstory
calmpositive
Debate
40/100
ContainerizationDockerFilesystem
Key topics
Containerization
Docker
Filesystem
The article explains how container filesystems work by building a Docker-like container from scratch, sparking a discussion on the history and inner workings of containerization technology.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
3d
Peak period
23
72-84h
Avg / period
8
Comment distribution32 data points
Loading chart...
Based on 32 loaded comments
Key moments
- 01Story posted
Sep 13, 2025 at 10:37 AM EDT
4 months ago
Step 01 - 02First comment
Sep 16, 2025 at 2:56 PM EDT
3d after posting
Step 02 - 03Peak activity
23 comments in 72-84h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 18, 2025 at 4:14 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45232426Type: storyLast synced: 11/20/2025, 4:11:17 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
The one thing people really seem to miss on them is like, contrary to popular belief you dont need a whole OS container there, minimal distroless containers work just fine with systemd-nspawn similar to as they would on docker.
Much of the technology was there, but Docker was able to achieve a critical mass, with streamlined workflows. Perhaps as much a social phenomenon as a technical one?
They're way closer to the usual "Unix" tool feel too. Docker feels 100% like an attempt to get rich by engineering a monolith rather than be a few helper C tools. Docker was so annoying to learn.
Fortunately with the end of ZIRP and SaaS deflation (in real user terms, not fake investment to project we still live in the 2010s heyday), software engineers are focused on engineering more than hype generation. Am excited about energy based models, capture of electromagnetic geometry of the machine as it runs programs.
60s style lexical state management systems dragged forward in time because of social momentum have little to do with engineering. Are hardly high tech in 2025.
The effort to introduce the concepts to the mainstream can’t be understated. It seems mundane now but it took a lot of grassroots effort and marketing to hit that critical mass.
The big pain with jails for me was the tooling. There was a number of non-trivial steps needed to get a jail that could host a networked service, with a lot that could go wrong along the way.
Sure a proper sysadmin would learn and internalize these steps, but as someone who just used it now and again it was a pain.
Way down the line things like iocage came along, but it was fragile and not reliable when I tried it, leading to jails in weird states and such.
So I gave up and moved to Linux so I could use Docker.
Super easy to spin up a new service, and fairly self-documenting as you just configure everything in a script or compose file so much less to remember.
Initially in a VM on Bhyve, now on bare metal.
It feels a bit sad though, as jails had some nice capabilities due to the extra isolation.
https://www.youtube.com/watch?v=wW9CAH9nSLs
Docker is more than just chroot. You also need: overlay file system; OCI registry and community behind it, to create thousands of useful images. And, of course, the whole idea of creating images layer by layer and using immutable images to spawn mutable containers.
I don't actually think that you need network or process isolation. In terms of isolation, chroot is enough for most practical needs. Network and process isolations are nice to have, but they are not essential.
process isolation is less prominent
The only thing that you need is the ability to configure a target application to choose address to bind to. But any sane application have that configuration knob.
Of course things are much easier with network namespaces, but you can go pretty far with host network (and I'd say it might be easier to understand and manage).
containerd/stargz-snapshotter: https://github.com/containerd/stargz-snapshotter
containerd/nerdctl//docs/nydus.md: https://github.com/containerd/nerdctl/blob/main/docs/nydus.m... :
nydusify and Check Nydus image: https://github.com/dragonflyoss/nydus/blob/master/docs/nydus... :
> Nydusify provides a checker to validate Nydus image, the checklist includes image manifest, Nydus bootstrap, file metadata, and data consistency in rootfs with the original OCI image. Meanwhile, the checker dumps OCI & Nydus image information to output (default) directory.
nydus: https://github.com/dragonflyoss/nydus
awslabs/soci-snapshotter: https://github.com/awslabs/soci-snapshotter ; lazy start standard OCI images
/? lxc copy on write: https://www.google.com/search?q=lxc+copy+on+write : lxc-copy supports btrfs, zfs, lvm, overlayfs
lxc/incus: "Add OCI image support" https://github.com/lxc/incus/issues/908
opencontainers/image-spec; OCI Image spec: https://github.com/opencontainers/image-spec
opencontainers/distribution-spec; OCI Image distribution spec: https://github.com/opencontainers/distribution-spec
But then in the
opencontainers/runtime-spec//config.md OCI runtime spec TODO bundle config.json there is an example of a config.json https://github.com/opencontainers/runtime-spec/blob/main/con...
The LXC approach is to run systemd in the container.
The quadlet approach is to not run systemd /sbin/init in the container; instead create .container files in /etc/containers/systemd/ (rootful) or ~/.config/containers/systemd/*.container (for rootless) so that the host systemd manages and logs the container processes.
Then realized you said QEMU not LXC.
LXD: https://canonical.com/lxd :
> LXD provides both [QEMU,] KVM-based VMs and system containers based on LXC – that can run a full Linux OS – in a single open source virtualisation platform. LXD has numerous built-in management features, including live migration, snapshots, resource restrictions, projects and profiles, and governs the interaction with various storage and networking options.
From https://documentation.ubuntu.com/lxd/latest/reference/storag... :
> LXD supports the following storage drivers for storing images, instances and custom volumes:
> Btrfs, CephFS, Ceph Object, Ceph RBD, Dell PowerFlex, Pure Storage, HPE Alletra, Directory, LVM, ZFS
You can run Podman or Docker within an LXD host; with or without a backing storage pool. FWIU it's possible for containers in an LXD VM to use BTRFS, ZFS, or KVM storage drivers to create e.g. BTRFS subvolumes instead of running overlayfs within the VM by editing storage.conf.
Dockers is conceptually simpler for devs and the layer use case but has huge performance issues which is why it never went anywhere for non-docker classic IT type use cases.
A SINGLE regular text file that took regular shell commands and could build the same deployment from scratch every time and then be cleaned up in one command.
This was UNHEARD of. Every other solution required learning new languages, defining “modules,” creating sets of scripts, or doing a lot of extra things. None of that was steezy.
I was so sold on Dockerfiles that I figured that even if the Docker project died, my Dockerfiles would continue to live because other people would try copy the idea of Dockerfiles. Now it’s been 10 years and Docker and containerization has changed a lot but what hasn’t? Dockerfiles. My 10 year Dockerfiles are still valid. That’s how good they were.
https://en.wikipedia.org/wiki/Solaris_Containers