Confinement
Namespaces
Allows partitioning of resources in views (namespaces).
Processes in a namespace have a restricted view of the system.
Activated through syscalls by a simple process:
clone: Defines a namespace to migrate the process to.
unshare: disassociates the process from its current context.
setns: puts the process in a Namespace.
Types of Namespaces.
Mount: Applied to mount points.
process id: first process has id 1.
network: "independent" network stack (routes, interfaces...).
IPC: methods of communication between processes.
uts: name independence (DNS).
user id: segregation of permissions.
cgroup: limitation of resources used (memory, cpu...).
Containers
Explores namespaces to provide a virtual view of the system.
Network isolation, cgroups, user ids, mounts, etc...
Processes are executed under a container.
Container is an applicational construction and not of the core.
Consists of an environment by composition of namespaces.
Requires building bridges with the real system network interfaces, proxy processes.
Relevant approaches.
LinuX Containers: focus on a complete virtualized environment.
evolution of OpenVZ.
Docker: focus on running isolated applications based on a portable packet between systems.
uses LXC.
Last updated