hngopher.com

       [HN Gopher] Learning containers from the bottom up
       ___________________________________________________________________
        
       Learning containers from the bottom up
        
       Author : notkaiho
       Score  : 82 points
       Date   : 2021-11-18 13:22 UTC (1 days ago)
        
 (HTM) web link (iximiuz.com)
 (TXT) w3m dump (iximiuz.com)
        
       | kodah wrote:
       | This is a great article.
       | 
       | I disagree with this:
       | 
       | > Now, when you have a decent understanding of containers - from
       | both the implementation and usage standpoints - it's time to tell
       | you the truth. Containers aren't Linux processes!
       | 
       | This is a bit of wordplay, I'm assuming, in absence of a word
       | that defines the operating system features that power the
       | _concept of containers_. To Linux, there is no (to my knowledge)
       | concept of a  "container". The container runtime runs your
       | process(es) as the parent and uses the operating systems features
       | to isolate it and restrict it/them. A virtual machine would just
       | be a full emulated version of this, rather than using the
       | operating system to virtualize the network stack. The author is
       | right in that there is no such thing as a _container_ , but only
       | as much as _containing is a thing you do_ , imo. What users think
       | of containers are still just processes though, and I don't think
       | that's an entirely useless abstraction to be cognizant of.
        
         | spenrose wrote:
         | > The author is right in that there is no such thing as a
         | container, but only as much as containing is a thing you do,
         | imo. What users think of containers are still just processes
         | though, and I don't think that's an entirely useless
         | abstraction to be cognizant of.
         | 
         | Fantastic distillation. Thank you!
        
         | jjtheblunt wrote:
         | why not think of them as process (group) spawned with
         | particular parent process setup, in particular the cgroups etc
         | configuration effecting isolation.
        
         | otterley wrote:
         | I would go even further - containers are process trees. They
         | just happen to be process trees with the following attributes:
         | (a) they (usually) have separate namespaces
         | (network/pid/uts/cgroups/mount); (b) they (usually) have
         | dropped capabilities; and (c) they (usually) are in cgroups
         | that have resource reservations and/or limits.
         | 
         | Under the hood, that's all containers are!
        
       | kuizu wrote:
       | A nice blog series explaining in detail each Linux kernel
       | mechanism making up containers:
       | https://www.schutzwerk.com/en/43/posts/linux_container_intro...
        
         | otterley wrote:
         | Agreed - this is a far more comprehensive, logical, and
         | technically correct explanation of how containers work under
         | the hood.
        
       ___________________________________________________________________
       (page generated 2021-11-19 23:00 UTC)