On 11/08/2014 08:24 PM, Nico Kadel-Garcia wrote:
On Sat, Nov 8, 2014 at 9:55 PM, Jamie Duncan <jamie.e.dun...@gmail.com> wrote:
"""
Basically it's chroot on steroids, allows program (or lots of programs,
up to "all the programs in typical operating system, starting from
init") execute in lightweight isolation - filesystem isolation, socket
isolation, process space isolation and limits (memory, CPU, IO etc) for
whole container. (chroot offers only low-quality filesystem isolation).
"""
Containers aren't anything like a chroot. A container as it's known in
RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com) to
manager SELinux, cgroups, and kernel namespaces to provide better isolation.
Docker has a process of using read-only images to create copy-on-write
filesystems (other options available).
They're incredibly interesting, and can be incredibly powerful. They're also
incredibly new to most users. A 'Containers 101' talk I've given 8-10 times
is at http://redhat.slides.com/jduncan/wrinkle-free-docker-20141107#/ (full
disclosure - I work for Red Hat and spend some time working with docker).
Reviewing the documentation, including www.docker.com, it really does
look like "chroot on steroids". I remember seeing, and using, similar
charts to describe chroot cages.
Processes and filesystems and libraries are established within the
pre-built container, but when running are isolated from access to host
resources that are not, specifically, shared with the container? And
the container is a nearly full OS environment, lacking only
unnecessary details like full hardware access to the hos holding the
containers? Yeah, it's somewhere between chroot and
paravirtualization.
Not to discredit its potential usefulness, I'm hearing good things
about its ease of use.
I am wondering if it will allow me to ditch virtual machines?
