On 9/11/2014 3:24 PM, Nico Kadel-Garcia wrote:
> On Sat, Nov 8, 2014 at 9:55 PM, Jamie Duncan <[log in to unmask]> wrote:
>> """
>> Basically it's chroot on steroids, allows program (or lots of programs,
>> up to "all the programs in typical operating system, starting from
>> init") execute in lightweight isolation - filesystem isolation, socket
>> isolation, process space isolation and limits (memory, CPU, IO etc) for
>> whole container. (chroot offers only low-quality filesystem isolation).
>> """
>>
>> Containers aren't anything like a chroot. A container as it's known in
>> RHEL/CentOS/Scientific Linux 7 is typically using docker (www.docker.com) to
>> manager SELinux, cgroups, and kernel namespaces to provide better isolation.
>> Docker has a process of using read-only images to create copy-on-write
>> filesystems (other options available).
>>
>> They're incredibly interesting, and can be incredibly powerful. They're also
>> incredibly new to most users. A 'Containers 101' talk I've given 8-10 times
>> is at http://redhat.slides.com/jduncan/wrinkle-free-docker-20141107#/  (full
>> disclosure - I work for Red Hat and spend some time working with docker).
> 
> Reviewing the documentation, including www.docker.com, it really does
> look like "chroot on steroids". I remember seeing, and using, similar
> charts to describe chroot cages.
> 
> Processes and filesystems and libraries are established within the
> pre-built container, but when running are isolated from access to host
> resources that are not, specifically, shared with the container? And
> the container is a nearly full OS environment, lacking only
> unnecessary details like full hardware access to the hos holding the
> containers? Yeah, it's somewhere between chroot and
> paravirtualization.

You mean its Solaris / BSD jails? :)

Hmmm - haven't we come full circle?

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897