Container == process
“Those who do not understand UNIX are destined to reinvent it badly.”
Have they finished realising that a container is just a chroot process yet?
2017 was a big year for containers. One of the biggest container events came from the Linux Foundation, and it was – by its own admission – one of the most boring. The Foundation’s Open Containers Initiative (OCI) finally dropped two specifications that standardise how containers operate at a low level. Chris Aniszczyk, vice …
It's slightly more than that - it's a way to easily share and distribute that chroot directory with associated library dependencies.
It's a way to share config amongst the directories and to obfuscate the networking to the point where an epileptic spider dipped in ink would be considered coherent.
IIRC there is also a bit more memory protection than a plain chroot process has - but I might be wrong about that.
> IIRC there is also a bit more memory protection than a plain chroot process has - but I might be wrong about that.
There's an enforcement aspect to containers, which is basically chroot + cgroups + namespaces. You can indeed limit the total RAM and/or swap used by a cgroup, as well as the amount of CPU and various other things.
(lxd uses the same features to provide something akin to "lightweight virtual machines")
However there is also the software delivery aspect of containers: building a chroot image, publishing it, fetching and caching the image in layers, merging the layers.
Then there is the runtime management aspect: starting and stopping containers, listing them, collecting their logs, attaching storage, managing networking.
And on top of this sit things like Kubernetes which schedule which containers to run and where.
Put these together, and you have a consistent way of managing software from development to testing to operations.
A chroot is simply changing the root filesystem for the process (shell) that you are running. A container is a process that runs child processes with a different root filesystem and limits access to system calls and resources based on dynamic criteria. Nothing more, nothing less. It's similar in nature to a debugger really. The trick for "containing stuffs" is mimicking the system calls without allowing process to escape and perform functions that will expose global resources.
In FreeBSD ALL process run in Jails. The main process runs in Jail 0.
During the unix.jpgdevelopment of Unix V7 in 1979, the chroot system call was introduced, changing the root directory of a process and its children to a new location in the filesystem. This advance was the beginning process isolation: segregating file access for each process. Chroot was added to BSD in 1982.
Chroot, BSD Jails, Solaris Zones. It doesn't really take the wisdom of Solomon to know that nothing is new under the sun. Many of these problems have been solved before, and the whole "lets get away from VMs" is hilarious after most of my customer spend years and millions migrating off better UNIX technologies to get everything to "VMWare/Linux/X86" because the CIO read about it in a magazine.
The business model was a problem in that world for sure, but the tech wasn't.
I highly recommend searching for Computers For Cynics by Ted Nelson on youtube. While Unix is a fascinating implementation of Multics (once that I love using via FreeBSD), it was not new either and replaced mainframes that already had the features we are trying to bring back in "new technology".
I love his description of the PUI best. It's really quite depressing how limited and broken our technology is compared to what is possible.
"containers are still at the point where the enterprise is waiting to embrace them. "
Next time my boss asks me how my work is going, and it isn't finished yet,I'll tell him it's still at the point where the enterprise is waiting to embrace it.
Why haven't we been told what 2018 is going to be the year of yet? It's only 2 weeks away!
Is '20xx will be the Year Of Containers' the new '200x will be the year of desktop linux'?
Well actually probably no; because the Year of desktop linux was aimed at an ecosystem shift, whereas the 'Year Of Containers' is just a buzzword-fest aimed at selling no-nothing senior management types some very expensive conference tickets ...
Biting the hand that feeds IT © 1998–2019