Hi, I'm looking for a light, stable, secure, reliable, and without systemd Linux distro for the containers. I'm going to run services like Nginx, PostgreSQL, ejabberd, ZNC inside the Linux containers. Is Alpine Linux a good choice?

[almost] Any distro is ok for running containers.

I agree. First, select a distro that very conveniently supports all of the services that you need. Then, "introduce containers to provide isolation."

All processes that "run inside a container" are in fact always running directly on the host, "while wearing rose-colored glasses." You have plenty of good options regarding the exact way that you want to set it all up – lxc/lxd, Docker®, and so on.

1 members found this post helpful.

- Does that mean, that containers don't have an intermediate layers like virtual machines have and therefore don't waste any noteworthy additional resources?

Can you put all kinds of software (programming frameworks, libraries, applications...) into containers?

The basic idea of a container is not to emulate hardware, but to modularise software with all its dependencies and to separate operating system files from other subsequently installed files?

yes
Not really, those containers are used to run apps in a separated/isolated environment, without "knowing" or accessing the other containers.
https://www.redhat.com/en/topics/containers
https://www.cio.com/article/2924995/...need-them.html
https://searchitoperations.techtarge...virtualization

1 members found this post helpful.

Containers provide the necessary illusions, needed to provide isolation, at a minimum of cost. The processes are actually running directly on the host, but, as I said, they are "wearing rose-colored glasses." They think that they see the filesystem, the network topology, their own user-ids (including: "I am running as root!"), etcetera, but none of it is actually true. (And: they don't care, because they don't have to.)

It actually requires very little system resources to maintain these illusions – drastically less than what is required to deploy a "virtual machine."

This concept also creates many advantages for the hosts. An entire industry has sprung up (e.g. "Rackspace") around "container hosting." Since the containerized guest never sees anything (that is actually real ...) about its host, and since it costs virtually nothing either to create a new container or to destroy one, this scenario is both very flexible and very "scalable." As long as those rose glasses never come off, the host can be almost anything. The host(s) can react in real time to ever-changing load patterns with remarkable flexibility: the guests, being "none the wiser," do not have to care.

"You say that you need to spin-up a hundred new containers, right now?" Sure, no problem. As long as the host(s) actually has(have) the physical resources to run the new processes, the rest of it is just fiddling with internal OS data structures to create the required rose glasses. The host can pick whatever CPUs it pleases in order to do the job, and maybe even move the containers around!

1 members found this post helpful.

Without SystemD? Devuan or Slackware (once v. 15 is released, as v. 14.2 is getting a bit long in the tooth and I don't think --Current would be a good candidate for this usage case, but that's just one person's opinion).

Does it make sense to outsource normal desktop applications into containers or would it be overkill? It wouldn't be a good idea to put an application into a container that you can easily download and install with aptitude but maybe it could be a good idea to put an application into a container that you have to install and configure manually, e.g. Eclipse IDE with a test server, libraries etc?

Containers are a security risk as their contents won't automatically get your system's security patches. Beware.

Does that mean containers don't offer an additional layer of security?

Linix containers can consist of a service container or a distribution instance.
A distribution instance is an entire small distribution running almost as if a full virtual guest (but on the same kernel as the host. A distribution container can run one or more services, and even have some degree of separate networking from the host.
A service instance is just the executable and support files to run a single service, but with process separation from the host for additional security.
Either is better security than running the same services natively on the host.

the isolation itself implemented in containers means "a layer of security", but as it was mentioned several times security depends on the users/admins, so it will give additional possibilities to blunder something.