This document discusses different types of lightweight virtualization technologies including chroot, BSD Jails, OpenVZ, LXC Linux Containers, and Docker. It provides information on when each technology became available, how they work, and their advantages and limitations. For example, it notes that chroot provides file system isolation only and roots users can still escape, while LXC relies on Linux kernel cgroups and provides full file system and root privilege isolation since version 1.0. It also recommends trying Docker on DigitalOcean Droplets.
8. chroot
The chrootsystem callwas introduced duringdevelopmentof
Version 7 Unix in 1979 is was available since 1982
(32 years old).
Provides (partial) file system isolation only.
“root” users can stillescape chroot.
requires some manuallinking(or copying) of system files.
10. BSD's “Jail”
Available since 1998 (16 years old).
Provides disk and CPUquotas, memorylimits, network and
rootprivilege isolation.
11.
12. OpenVZ
Available since 2005 (9 years old).
Requires aspecialkernel.
Adds I/O rate limiting, partition checkpointingand live
migration.
Stillused byhostingcompanies to provide virtualprivate
servers.
13. OpenVZ
Source: OpenVZ Web site
Container looks like anormalLinux system. Ithas standard
startup scripts, software from vendors can run inside
Container withoutOpenVZ-specific modifications or
adjustment.
Auser can change anyconfiguration file and installadditional
software.
Containers are fullyisolated from each other (file system,
processes, Inter Process Communication (IPC), sysctl
variables).
14. OpenVZ
Source: OpenVZ Web site
Containers share dynamic libraries, which greatlysaves
memory.
Processes belongingto aContainer are scheduled for
execution on allavailable CPUs. Consequently, Containers are
notbound to onlyone CPUand can use allavailable CPU
power.
16. LXC Linux Container
Available since 2008 (6 years old).
Relies on the Linux kernel“cgroups” functionalitythatwas
released in version 2.6.24.
Fullfile system isolation and rootprivilege isolation since
version 1.0 (February2014 /Linux kernel3.8)
No partition checkpointingand no live migration!
“chrooton steroids”.
17. Cgroups (control groups)
Name space Isolation
PID namespace : Isolation for the allocation of process
identifiers.
Network namespace : Isolates the NIC, iptables rules, routing,
etc.
“UTS” namespace : Allows changingthe hostname.
Mountnamespace : Allows creatingadifferentfile system
layout.
IPC namespace : Isolates the System VIPC.
18.
19. Docker
Available since 2013 (1 year old young).
Based on LXC.
Is currentlyunder heavydevelopment. Docker should notbe
used in production (yet).
“Docker is an open-source engine thatautomates the
deploymentof anyapplication as alightweight, portable, self-
sufficientcontainer thatwillrun virtuallyanywhere.”
20. Docker
If you wantto try“Docker” you can easillydo iton a“Droplet” at
DigitalOcean. (5$ for 1 month)