Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think that just underscores my point, which is that containment means different things to different people. To me, it means only the resource limiting features from cgroups. I have no use for namespaces, bind mounts, virtual network interfaces, or any of that stuff. In my application all that stuff is either pointless or harmful. But to you, container means at least PID and mount namespaces.

rlimit is sort of a thing but it's not actually effective so to me it's not part of the picture. If unix limits worked, Google would not have needed to contribute cgroups before deploying Borg. Indeed, in this LWN article which is actually about control groups, they call control groups "containers". Just shows there is not a universal meaning of the term.

The earliest control groups patch I can find says "We use the term container to indicate a structure against which we track and charge utilization of system resources like memory, tasks etc for a workload." It doesn't say anything about isolation, namespaces, or security, but it uses the term container to describe resource control.

https://lwn.net/Articles/236038/



Regardless of what was said when cgroups was first implemented, the current industry term "container" does actually mean isolation. I suspect you'd find yourself in a very small minority of people who use it to mean simply "running in a cgroup".

> Just shows there is not a universal meaning of the term.

Yes, there is. That meaning has just evolved since 2007.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: