| 1 |
On Thu, Mar 8, 2018 at 11:44 AM, R0b0t1 <r030t1@×××××.com> wrote: |
| 2 |
> |
| 3 |
> I think I was equating containers to Docker as well. My point was |
| 4 |
> instead of trying to manage dependencies, containers allow people to |
| 5 |
> shove everything into an empty root with no conflicts. The |
| 6 |
> enthusiastic blog post seems to restate this. |
| 7 |
> |
| 8 |
|
| 9 |
That is one of many things they can do. You can also run a service |
| 10 |
like apache in a container even if it is installed in the same root |
| 11 |
filesystem as all your other applications. (In fact, I think this is |
| 12 |
sort-of the default behavior if you start apache with the systemd unit |
| 13 |
supplied.) |
| 14 |
|
| 15 |
Ultimately on linux the governing functionality are kernel namespaces |
| 16 |
and chroot (and I guess you might lump in chuid). Kernel namespaces |
| 17 |
involve the various types of namespaces themselves, and then the |
| 18 |
clone/setns/unshare system calls. There are a lot of things you can |
| 19 |
do with various applications of these, and you don't have to run a |
| 20 |
process in every possible separated namespace. |
| 21 |
|
| 22 |
I mention it mainly because people tend to limit themselves by |
| 23 |
thinking that container=docker, when linux provides a number of system |
| 24 |
calls that administrators can employ to do useful things, and you |
| 25 |
don't need any kind of fancy management system to use any of them, any |
| 26 |
more than you need any fancy tools to run chroot. |
| 27 |
|
| 28 |
If you have util-linux installed then try running (as any user - you |
| 29 |
don't have to be root): |
| 30 |
unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash |
| 31 |
|
| 32 |
Congrats. You are now root in a container. You're in the same root |
| 33 |
filesystem as always. You'll note that you can't actually see |
| 34 |
anything that you couldn't see before. If you run ps -ea you'll see |
| 35 |
that you're the only process running on the system. Devices like |
| 36 |
/dev/sda aren't actually accessible. A lot of container managers |
| 37 |
would mount a new /dev and just hide most of that stuff. You can |
| 38 |
probably imagine how something like this could be useful for isolating |
| 39 |
processes. Try mounting a tmpfs somewhere - you'll see you can do it. |
| 40 |
The tmpfs will be invisible to other processes though that aren't |
| 41 |
inside the container. |
| 42 |
|
| 43 |
-- |
| 44 |
Rich |
Archives