1 |
On Thu, Mar 8, 2018 at 11:44 AM, R0b0t1 <r030t1@×××××.com> wrote: |
2 |
> |
3 |
> I think I was equating containers to Docker as well. My point was |
4 |
> instead of trying to manage dependencies, containers allow people to |
5 |
> shove everything into an empty root with no conflicts. The |
6 |
> enthusiastic blog post seems to restate this. |
7 |
> |
8 |
|
9 |
That is one of many things they can do. You can also run a service |
10 |
like apache in a container even if it is installed in the same root |
11 |
filesystem as all your other applications. (In fact, I think this is |
12 |
sort-of the default behavior if you start apache with the systemd unit |
13 |
supplied.) |
14 |
|
15 |
Ultimately on linux the governing functionality are kernel namespaces |
16 |
and chroot (and I guess you might lump in chuid). Kernel namespaces |
17 |
involve the various types of namespaces themselves, and then the |
18 |
clone/setns/unshare system calls. There are a lot of things you can |
19 |
do with various applications of these, and you don't have to run a |
20 |
process in every possible separated namespace. |
21 |
|
22 |
I mention it mainly because people tend to limit themselves by |
23 |
thinking that container=docker, when linux provides a number of system |
24 |
calls that administrators can employ to do useful things, and you |
25 |
don't need any kind of fancy management system to use any of them, any |
26 |
more than you need any fancy tools to run chroot. |
27 |
|
28 |
If you have util-linux installed then try running (as any user - you |
29 |
don't have to be root): |
30 |
unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash |
31 |
|
32 |
Congrats. You are now root in a container. You're in the same root |
33 |
filesystem as always. You'll note that you can't actually see |
34 |
anything that you couldn't see before. If you run ps -ea you'll see |
35 |
that you're the only process running on the system. Devices like |
36 |
/dev/sda aren't actually accessible. A lot of container managers |
37 |
would mount a new /dev and just hide most of that stuff. You can |
38 |
probably imagine how something like this could be useful for isolating |
39 |
processes. Try mounting a tmpfs somewhere - you'll see you can do it. |
40 |
The tmpfs will be invisible to other processes though that aren't |
41 |
inside the container. |
42 |
|
43 |
-- |
44 |
Rich |