# OS Support

Linux does not have support for containers.

* The kernel does not recognize the concept of containers.

**Containers** **are a set of configurations that define an environment** that is applied to a process (and its children).

* **Namespace**: isolation and virtualization of each tenant.
* **Cgroups:** controls the resources of each tenant (CPU, RAM, IO).

## Subjacent technologies

* Namespaces.
  * (mnt, pid, net, ipc, uts/hostname, user ids).
* Cgroups.
  * (cpu, memory, disk, I/O - resource management).
* AppArmor, SELinux.
  * (security/ access control).
* Seccomp.
  * Computation isolation.
* CHROOT.
  * File system isolation.

### Namespaces

The **mechanism used to isolate and virtualize the systems resources**.

* Processes in a namespace can't see the remnant resources.
  * They see their namespace as the host.

Network namespace.

* A mechanism that allows the creation of network resources almost independently.
  * Network interface, routing tables.
* A network interface can only belong to a single namespace.

PID namespace.

* A restricted namespace with private processes identifiers
  * Host processes are invisible.

### Cgroup

The mechanism used to **restring or monitor the quantity of used resources by *****"access groups"***.

* The processes can be organized in groups, and in this way, control the access to resources.
  * Example: CPU scheduling control.
    * Limit the amount of time a group of processes can use with the CPU.
  * Other uses:
    * Memory, I/O, pids, ...