On Sat, Nov 8, 2014 at 9:55 PM, Jamie Duncan <[log in to unmask]> wrote:
> """
> Basically it's chroot on steroids, allows program (or lots of programs,
> up to "all the programs in typical operating system, starting from
> init") execute in lightweight isolation - filesystem isolation, socket
> isolation, process space isolation and limits (memory, CPU, IO etc) for
> whole container. (chroot offers only low-quality filesystem isolation).
> """
>
> Containers aren't anything like a chroot. A container as it's known in
> RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com) to
> manager SELinux, cgroups, and kernel namespaces to provide better isolation.
> Docker has a process of using read-only images to create copy-on-write
> filesystems (other options available).
>
> They're incredibly interesting, and can be incredibly powerful. They're also
> incredibly new to most users. A 'Containers 101' talk I've given 8-10 times
> is at http://redhat.slides.com/jduncan/wrinkle-free-docker-20141107#/  (full
> disclosure - I work for Red Hat and spend some time working with docker).

Reviewing the documentation, including www.docker.com, it really does
look like "chroot on steroids". I remember seeing, and using, similar
charts to describe chroot cages.

Processes and filesystems and libraries are established within the
pre-built container, but when running are isolated from access to host
resources that are not, specifically, shared with the container? And
the container is a nearly full OS environment, lacking only
unnecessary details like full hardware access to the hos holding the
containers? Yeah, it's somewhere between chroot and
paravirtualization.

Not to discredit its potential usefulness, I'm hearing good things
about its ease of use.