Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How would you describe a linux container in one sentence? I'm working with them for some years already, but I'm still struggling with a consceise description aimed for e.g. fresh CS undergrads.


"A Linux container is just a process that runs in a context where it thinks it exists in isolation, usually with some resource limits applied."

If you wanted the more "fundamental" explanation, rather than a "how to use them" explanation.


How about: "There is no such thing as a 'Linux container.'"

Followed by: "Now let's talk about namespaces and cgroups."


Correct, you grok it! Only Solaris and illumos kernels have true containers (resource limits) optionally applied to zones (virtualized OS instances providing full blown UNIX servers) running at bare metal speed as a bunch of processes in the global zone. FreeBSD jails come close (they were the inspiration for zones), but are more akin to chrooted jails than containers. Nowadays they are conceptually more like zones than they were in the beginning.


I've tried through a joke:

> This doesn't build.

> Well it works on _my_ machine.

> Fine, then we ship _your_ machine.


There is the idea of "high level concepts", concepts that build on top of other concepts. So it's probably impossible to explain without some insight knowledge into operating systems, programming, multi processing, security, packaging, CS history, etc.

Explaining it to undergrads would therefore require a "model", i.e. an abstraction of the reality that simplifies what is really there, but is still apllicable to make predictions about outcomes in the real world.

So I would start with analysing how I would explain unix user management to a newby who didn't learn filesystems yet. Then transfer some of that thinking to processes instead of files. E.g. this process doing X and that process doing Y shouldn't conflict with each other but might get problems when they both try Z. Therefore they need to be separated in an abstract way. And that's what namespaces are for. yadda yadda.

Another approach might be taking ideas from explaining virtual memory to newbies. I.e. each process has their own virtual filesystem, their own virtual network, and the underlying operating system will figure out how to make things work out without conflicts (if possible).


"Container" means two related but different things nowadays: (1) an abstraction to group some processes and give them their own pid, fs, and network spaces; and (2) an archive that contains some application(s) and everything that's required to run them (minus the kernel), plus metadata on what it is and what it requires from the host kernel to actually run.


A container has to be 1, but can be 2


"A Linux container is a way to run multiple distros on the same kernel at once."

Then define distro to be all of the user-space stuff in a Linux system: The init system, the libraries, the user-visible applications, and the data.

Then get into how it works, which is all namespaces: A namespace for the filesystem, a namespace for the networking stuff, and so on, including a namespace for RAM... which we don't usually think of as a namespace, but it's what the MMU does, and the kernel uses the MMU.

In short, separate what from how, and ensure they understand the what first.


A Linux container is a virtualization system that virtualizes the entire userspace, not the hardware itself (which is what standard VMs do).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: