Hacker News new | past | comments | ask | show | jobs | submit login

> "Containers" are a mix of two major pieces of technology. One is cgroups, the other is namespaces.

I respectfully disagree with that definition of what a "container" is.

cgroups, namespaces, and so on are an implementation detail of how containers are commonly implemented on linux these days.

OpenVZ (https://en.wikipedia.org/wiki/OpenVZ) and Solaris Containers (aka zones) both predate the current linux implementation and did not use namespaces or cgroups.

All three of those ways of running containers are containers. unshare/namespaces/cgroups is just one possible implementation. There are also, certainly, other ways of implementing containers, so it feels wrong to define it in terms of just one specific, admittedly the most popular, implementation.




linux namespaces/cgroup may be an implementation detail. But at a high level, each container can have a different view on system resources, and this is the critical point. Different from each other and the host system. The system resource can be filesystem, network access, processes, memory, ... .

chroot only isolates the file system, otherwise all other system resource is shared with the host system.

I don't doubt that other container technologies achieved similar level of isolation or more before Docker. But chroot is really not comparable to Docker.


Dockers for Windows and Macs do not even use "cgroups" and "namespaces" because these technologies are not available on these stacks -- it resorts to plain old VMs. So in a sense, yes, Docker is not just chroot but on the other hand, it is also not just "cgroups" with "namespaces". It turns out Docker is a reference implementation for the concept of containers. But you can replace it with anything that can process images and a "Dockerfile".




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: