[HN Gopher] Learning containers from the bottom up ___________________________________________________________________ Learning containers from the bottom up Author : notkaiho Score : 82 points Date : 2021-11-18 13:22 UTC (1 days ago) (HTM) web link (iximiuz.com) (TXT) w3m dump (iximiuz.com) | kodah wrote: | This is a great article. | | I disagree with this: | | > Now, when you have a decent understanding of containers - from | both the implementation and usage standpoints - it's time to tell | you the truth. Containers aren't Linux processes! | | This is a bit of wordplay, I'm assuming, in absence of a word | that defines the operating system features that power the | _concept of containers_. To Linux, there is no (to my knowledge) | concept of a "container". The container runtime runs your | process(es) as the parent and uses the operating systems features | to isolate it and restrict it/them. A virtual machine would just | be a full emulated version of this, rather than using the | operating system to virtualize the network stack. The author is | right in that there is no such thing as a _container_ , but only | as much as _containing is a thing you do_ , imo. What users think | of containers are still just processes though, and I don't think | that's an entirely useless abstraction to be cognizant of. | spenrose wrote: | > The author is right in that there is no such thing as a | container, but only as much as containing is a thing you do, | imo. What users think of containers are still just processes | though, and I don't think that's an entirely useless | abstraction to be cognizant of. | | Fantastic distillation. Thank you! | jjtheblunt wrote: | why not think of them as process (group) spawned with | particular parent process setup, in particular the cgroups etc | configuration effecting isolation. | otterley wrote: | I would go even further - containers are process trees. They | just happen to be process trees with the following attributes: | (a) they (usually) have separate namespaces | (network/pid/uts/cgroups/mount); (b) they (usually) have | dropped capabilities; and (c) they (usually) are in cgroups | that have resource reservations and/or limits. | | Under the hood, that's all containers are! | kuizu wrote: | A nice blog series explaining in detail each Linux kernel | mechanism making up containers: | https://www.schutzwerk.com/en/43/posts/linux_container_intro... | otterley wrote: | Agreed - this is a far more comprehensive, logical, and | technically correct explanation of how containers work under | the hood. ___________________________________________________________________ (page generated 2021-11-19 23:00 UTC)