Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I'm looking for a light, stable, secure, reliable, and without systemd Linux distro for the containers. I'm going to run services like Nginx, PostgreSQL, ejabberd, ZNC inside the Linux containers. Is Alpine Linux a good choice?
Last edited by doskanoness; 10-07-2021 at 06:54 AM.
I agree. First, select a distro that very conveniently supports all of the services that you need. Then, "introduce containers to provide isolation."
All processes that "run inside a container" are in fact always running directly on the host, "while wearing rose-colored glasses." You have plenty of good options regarding the exact way that you want to set it all up – lxc/lxd, DockerŪ, and so on.
Last edited by sundialsvcs; 10-08-2021 at 02:56 PM.
All processes that "run inside a container" are in fact always running directly on the host
- Does that mean, that containers don't have an intermediate layers like virtual machines have and therefore don't waste any noteworthy additional resources?
Can you put all kinds of software (programming frameworks, libraries, applications...) into containers?
The basic idea of a container is not to emulate hardware, but to modularise software with all its dependencies and to separate operating system files from other subsequently installed files?
- Does that mean, that containers don't have an intermediate layers like virtual machines have and therefore don't waste any noteworthy additional resources?
yes
Quote:
Originally Posted by a2326
Can you put all kinds of software (programming frameworks, libraries, applications...) into containers?
Not really, those containers are used to run apps in a separated/isolated environment, without "knowing" or accessing the other containers.
Quote:
Originally Posted by a2326
The basic idea of a container is not to emulate hardware, but to modularise software with all its dependencies and to separate operating system files from other subsequently installed files?
Containers provide the necessary illusions, needed to provide isolation, at a minimum of cost. The processes are actually running directly on the host, but, as I said, they are "wearing rose-colored glasses." They think that they see the filesystem, the network topology, their own user-ids (including: "I am running as root!"), etcetera, but none of it is actually true. (And: they don't care, because they don't have to.)
It actually requires very little system resources to maintain these illusions – drastically less than what is required to deploy a "virtual machine."
This concept also creates many advantages for the hosts. An entire industry has sprung up (e.g. "Rackspace") around "container hosting." Since the containerized guest never sees anything (that is actually real ...) about its host, and since it costs virtually nothing either to create a new container or to destroy one, this scenario is both very flexible and very "scalable." As long as those rose glasses never come off, the host can be almost anything. The host(s) can react in real time to ever-changing load patterns with remarkable flexibility: the guests, being "none the wiser," do not have to care.
"You say that you need to spin-up a hundred new containers, right now?" Sure, no problem. As long as the host(s) actually has(have) the physical resources to run the new processes, the rest of it is just fiddling with internal OS data structures to create the required rose glasses. The host can pick whatever CPUs it pleases in order to do the job, and maybe even move the containers around!
Last edited by sundialsvcs; 11-18-2021 at 07:41 PM.
Without SystemD? Devuan or Slackware (once v. 15 is released, as v. 14.2 is getting a bit long in the tooth and I don't think --Current would be a good candidate for this usage case, but that's just one person's opinion).
Does it make sense to outsource normal desktop applications into containers or would it be overkill? It wouldn't be a good idea to put an application into a container that you can easily download and install with aptitude but maybe it could be a good idea to put an application into a container that you have to install and configure manually, e.g. Eclipse IDE with a test server, libraries etc?
Containers provide the necessary illusions, needed to provide isolation, at a minimum of cost. The processes are actually running directly on the host, but, as I said, they are "wearing rose-colored glasses."
Does that mean containers don't offer an additional layer of security?
Linix containers can consist of a service container or a distribution instance.
A distribution instance is an entire small distribution running almost as if a full virtual guest (but on the same kernel as the host. A distribution container can run one or more services, and even have some degree of separate networking from the host.
A service instance is just the executable and support files to run a single service, but with process separation from the host for additional security.
Either is better security than running the same services natively on the host.
Does that mean containers don't offer an additional layer of security?
the isolation itself implemented in containers means "a layer of security", but as it was mentioned several times security depends on the users/admins, so it will give additional possibilities to blunder something.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.