Understanding the challenges with container images
In this section, we will learn about the considerations and best practices followed by industry experts when building or selecting the right container images. Before we discuss the challenges and get into our options, let's learn what goes into a container image.
Exploring the components of container images
To understand the behavior of a container image, we need to have basic knowledge of the Operating System (OS) and hierarchical protection domains. For security segregation purposes, the OS handles virtual memory in two layers called kernel space and user space. Basically, the kernel runs in the most privileged protection ring, called Ring 0, and interacts directly with critical resources such as CPU and memory. The kernel needs to be stable since any problem or instability would cause instability in the overall system and bring everything to a panic state. As we can see in Figure 8.1, drivers, low-level system components...
