Hi Jamie Duncan! On 2014.11.08 at 21:55:52 -0500, Jamie Duncan wrote next:
> Containers aren't anything like a chroot. A container as it's known in > RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com) > to manager SELinux, cgroups, and kernel namespaces to provide better > isolation. Docker has a process of using read-only images to create > copy-on-write filesystems (other options available). Well, I did mention docker and my opinion about it. It's a fun thing but currently, for the simple tasks right now I don't see how it works better than systemd-nspawn, for example. It probably will in the future. As for more complex way to use containers, e.g. as lightweight virtualization to get new network namespace and resources control for a certain group of services, docker is unsuitable and will probably ever be. Docker seems to be designed with concept of isolating single services in mind; it's not always the usage case. E.g. we had a goal "use SL7 on database host, but run PostgreSQL with some related services inside SL6 container, until we get enough time to make it work on SL7 natively (after which we'll move it from container to base system)". Having nearly complete virtual host with sshd, postgresql server and related tools would be cumbersome in docker. This task can be solved with LXC, however. LXC also provides a best way to migrate current OpenVZ containers, each running whole bunch of services like under virtualization. Of course each has sshd and a whole bunch of various services running. Docker usage goes against these concepts. In other words, docker is nice, but it would be stretching to call it "Main container technology in EL7". On the other hand, I'm very happy that LXC now works on stock kernel and out of the box (native LXC, that is; like I mentioned before, libvirt-based LXC is unusable at this point). It was annoying that you had to change kernel for OpenVZ to work. -- Vladimir