Hi Jamie Duncan!

 On 2014.11.08 at 21:55:52 -0500, Jamie Duncan wrote next:

> Containers aren't anything like a chroot. A container as it's known in
> RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com)
> to manager SELinux, cgroups, and kernel namespaces to provide better
> isolation. Docker has a process of using read-only images to create
> copy-on-write filesystems (other options available).

Well, I did mention docker and my opinion about it. It's a fun thing but
currently, for the simple tasks right now I don't see how it works
better than systemd-nspawn, for example. It probably will in the future.

As for more complex way to use containers, e.g. as lightweight
virtualization to get new network namespace and resources control for a
certain group of services, docker is unsuitable and will probably ever
be. Docker seems to be designed with concept of isolating single
services in mind; it's not always the usage case.

E.g. we had a goal "use SL7 on database host, but run PostgreSQL with
some related services inside SL6 container, until we get enough time to
make it work on SL7 natively (after which we'll move it from container
to base system)".
Having nearly complete virtual host with sshd, postgresql server and
related tools would be cumbersome in docker. This task can be solved
with LXC, however.

LXC also provides a best way to migrate current OpenVZ containers, each
running whole bunch of services like under virtualization. Of course
each has sshd and a whole bunch of various services running. Docker
usage goes against these concepts.

In other words, docker is nice, but it would be stretching to call it
"Main container technology in EL7". On the other hand, I'm very happy
that LXC now works on stock kernel and out of the box (native LXC, that
is; like I mentioned before, libvirt-based LXC is unusable at this
point). It was annoying that you had to change kernel for OpenVZ to
work.

-- 

Vladimir