by kodah on 11/19/2021, 9:16:41 PM
by kuizu on 11/19/2021, 9:38:52 PM
A nice blog series explaining in detail each Linux kernel mechanism making up containers: https://www.schutzwerk.com/en/43/posts/linux_container_intro...
by musicale on 11/20/2021, 12:49:38 AM
Docker and Kubernetes embody a number of design decisions that might be a good fit for some users (and for Google) but add more complexity and overhead than I usually need or want for my typical use case of basic isolation and resource limits.
Fortunately the container architecture is flexible so that you can use as much or as little of it as you like.
I also tend to think that if you want stronger isolation for security purposes then you will want a lightweight VM rather than a container (and if you are worried about side channels, probably hardware partitioning - good luck.)
by porker on 11/20/2021, 7:18:14 AM
For a quick overview of containers I found https://wizardzines.com/zines/containers/ super helpful.
by ashater on 11/20/2021, 1:19:09 PM
Good article, steps one level below container managers like Docker or k8s. Obviously not the indepth of how Linux kernel manages container processes but a good write-up.
by yencabulator on 11/22/2021, 8:27:51 PM
> ... but containers are needed to build images
Incorrect. The images are mere files(/subtrees), and you can write one however you wish.
This is a great article.
I disagree with this:
> Now, when you have a decent understanding of containers - from both the implementation and usage standpoints - it's time to tell you the truth. Containers aren't Linux processes!
This is a bit of wordplay, I'm assuming, in absence of a word that defines the operating system features that power the concept of containers. To Linux, there is no (to my knowledge) concept of a "container". The container runtime runs your process(es) as the parent and uses the operating systems features to isolate it and restrict it/them. A virtual machine would just be a full emulated version of this, rather than using the operating system to virtualize the network stack. The author is right in that there is no such thing as a container, but only as much as containing is a thing you do, imo. What users think of containers are still just processes though, and I don't think that's an entirely useless abstraction to be cognizant of.