On Thu, Mar 8, 2018 at 11:44 AM, R0b0t1 <r03...@gmail.com> wrote: > > I think I was equating containers to Docker as well. My point was > instead of trying to manage dependencies, containers allow people to > shove everything into an empty root with no conflicts. The > enthusiastic blog post seems to restate this. >
That is one of many things they can do. You can also run a service like apache in a container even if it is installed in the same root filesystem as all your other applications. (In fact, I think this is sort-of the default behavior if you start apache with the systemd unit supplied.) Ultimately on linux the governing functionality are kernel namespaces and chroot (and I guess you might lump in chuid). Kernel namespaces involve the various types of namespaces themselves, and then the clone/setns/unshare system calls. There are a lot of things you can do with various applications of these, and you don't have to run a process in every possible separated namespace. I mention it mainly because people tend to limit themselves by thinking that container=docker, when linux provides a number of system calls that administrators can employ to do useful things, and you don't need any kind of fancy management system to use any of them, any more than you need any fancy tools to run chroot. If you have util-linux installed then try running (as any user - you don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash Congrats. You are now root in a container. You're in the same root filesystem as always. You'll note that you can't actually see anything that you couldn't see before. If you run ps -ea you'll see that you're the only process running on the system. Devices like /dev/sda aren't actually accessible. A lot of container managers would mount a new /dev and just hide most of that stuff. You can probably imagine how something like this could be useful for isolating processes. Try mounting a tmpfs somewhere - you'll see you can do it. The tmpfs will be invisible to other processes though that aren't inside the container. -- Rich
