Skip to content

Page112

Containers

Containers are a (relatively) older technology that continues to improve. They evolved from the BSD “chroot” (change root) functionality, which locked a process into a directory. That process (such as a Bind nameserver daemon) could only access files in its directory and could not access files outside of it. For example: if Bind was chrooted to “/var/bind” it could not ready anything outside of that directory and its subdirectories (such as /var./bind/conf). This was done to limit the risk of a compromised service to the rest of the operating system: files such as /etc/passwd and /etc/shadow could not be accessed, for example.

BSD jails are built on top of the chroot concept by also isolating the network: each jail had its own IP address, for example. Two jails on the same system that need to transfer data need to communicate via the network.

The BSD operating systems call this concept a jail, while the term container is used with Linux. Docker is one of the most prevalent container technologies, with an emphasis on large-scale orchestration. Docker describes containers: A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings [19].

Containers vs. Virtualization

You may be wondering: how are containers different from virtualization? The key distinction: each virtual system runs its own kernel. A hypervisor running three virtual machines means four kernels are running: one for the hypervisor, and one for each VM. A host system running three containers means one kernel is running: the host system's. Each container also uses the host system’s kernel. This means containers require fewer resources than a VM, but it also means they are less separated (from a security standpoint) than VMs. FIG. 4.17, from the US Department of Energy’s Argonne National Laboratory, shows the difference between containers and virtual machines [20].

FIG. 4.17