On 9/11/2014 3:24 PM, Nico Kadel-Garcia wrote: > On Sat, Nov 8, 2014 at 9:55 PM, Jamie Duncan <jamie.e.dun...@gmail.com> wrote: >> """ >> Basically it's chroot on steroids, allows program (or lots of programs, >> up to "all the programs in typical operating system, starting from >> init") execute in lightweight isolation - filesystem isolation, socket >> isolation, process space isolation and limits (memory, CPU, IO etc) for >> whole container. (chroot offers only low-quality filesystem isolation). >> """ >> >> Containers aren't anything like a chroot. A container as it's known in >> RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com) to >> manager SELinux, cgroups, and kernel namespaces to provide better isolation. >> Docker has a process of using read-only images to create copy-on-write >> filesystems (other options available). >> >> They're incredibly interesting, and can be incredibly powerful. They're also >> incredibly new to most users. A 'Containers 101' talk I've given 8-10 times >> is at http://redhat.slides.com/jduncan/wrinkle-free-docker-20141107#/ (full >> disclosure - I work for Red Hat and spend some time working with docker). > > Reviewing the documentation, including www.docker.com, it really does > look like "chroot on steroids". I remember seeing, and using, similar > charts to describe chroot cages. > > Processes and filesystems and libraries are established within the > pre-built container, but when running are isolated from access to host > resources that are not, specifically, shared with the container? And > the container is a nearly full OS environment, lacking only > unnecessary details like full hardware access to the hos holding the > containers? Yeah, it's somewhere between chroot and > paravirtualization.
You mean its Solaris / BSD jails? :) Hmmm - haven't we come full circle? -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897
signature.asc
Description: OpenPGP digital signature