What are linux containers

What are Linux containers?

Linux containers, in short, contain applications in a way that keep them isolated from the host system that they run on. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. And they are designed to make it easier to provide a consistent experience as developers and system administrators move code from development environments into production in a fast and replicable way.

In a way, containers behave like a virtual machine. To the outside world, they can look like their own complete system. But unlike a virtual machine, rather than creating a whole virtual operating system, containers don’t need to replicate an entire operating system, only the individual components they need in order to operate. This gives a significant performance boost and reduces the size of the application. They also operate much faster, as unlike traditional virtualization the process is essentially running natively on its host, just with an additional layer of protection around it.

And importantly, many of the technologies powering container technology are open source. This means that they have a wide community of contributors, helping to foster rapid development of a wide ecosystem of related projects fitting the needs of all sorts of different organizations, big and small.

Why is there such interest in containers?

Undoubtedly, one of the biggest reasons for recent interest in container technology has been the Docker open source project, a command line tool that made creating and working with containers easy for developers and sysadmins alike, similar to the way Vagrant made it easier for developers to explore virtual machines easily.

Docker is a command-line tool for programmatically defining the contents of a Linux container in code, which can then be versioned, reproduced, shared, and modified easily just as if it were the source code to a program.

Containers have also sparked an interest in microservice architecture, a design pattern for developing applications in which complex applications are broken down into smaller, composable pieces which work together. Each component is developed separately, and the application is then simply the sum of its constituent components. Each piece, or service, can live inside of a container, and can be scaled independently of the rest of the application as the need arises.

How do I orchestrate containers?

Simply putting your applications into containers probably won’t create a phenomenal shift in the way your organization operates unless you also change how you deploy and manage those containers. One popular system for managing and organizing Linux containers is Kubernetes.

[Download our Containers Primer]

Kubernetes is an open source system for managing clusters of containers. To do this, it provides tools for deploying applications, scaling those application as needed, managing changes to existing containerized applications, and helps you optimize the use of the underlying hardware beneath your containers. It is designed to be extensible, as well as fault-tolerant by allowing application components to restart and move across systems as needed.

IT automation tools like Ansible, and platform as a service projects like OpenShift, can add additional capabilities to make the management of containers easier.

How do I keep containers secure?

Container add security by isolating applications from other applications on a host operating system, but simply containerizing an application isn’t enough to keep it secure. Dan Walsh, a computer security expert known for his work on SELinux, explains some of the ways that developers are working to make sure Docker and other container tools are making sure containers are secure, as well as some of the security features currently within Docker, and how they function.

Where can I learn more?

Here are some additional resources you may be interested in.

• The Cloud Native Computing Foundation (cncf.io)
• The Open Containers Initiative (opencontainers.org)
• What are containers? (redhat.com)
• Securing containers before they take over the world (thestack.com)
• Containers: 4 key security considerations (containerjournal.com)
• What is Docker? (opensource.com)

This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.

Источник

What are containers?

Containers are a virtualisation technology that isolates each process in a lightweight and standard environment. They allow users to package and quickly deploy entire applications parallel to each other on the same kernel and hardware, while maintaining isolation among the workloads.

Container virtualisation

Containers are instantiated from container images, a layered packaging system, to distribute applications along with their configuration and runtime dependencies.

From development to production, containers power modern cloud applications as they allow developers to move fast between platforms and versions.

Inside Google alone, at least two billion containers are generated each week to manage its vast operations. There are many tools to create, deploy and manage containers, including LXD, Docker and Kubernetes.

What is Docker?

Docker is an open-source containerisation platform. It provides an easy way to build and deploy containers in the cloud or on-premises. Docker didn’t introduce container technologies, but they made the user experience of container technologies so easy for developers that Docker soon became shorthand for containers and the most popular container format. Docker Inc, the company that supports the Docker project and community, also operates Docker Hub, a space for hosting container images.

Docker for beginners: docker-cli, containerd, and runc

Docker is many things: a community, a company, and multiple software projects. The so-called “Docker developer experience” uses three projects: docker-cli, containerd, and runc. The Docker command-line mostly interfaces with the containerd daemon to provide a great end-user experience. Containerd manages and supervises containers, images, storage, and networking. Finally, runc is the container runtime. It consists of all the code used to interact with container system features (think user namespaces, cgroups, and so on).

Kubernetes vs Docker: CRI-O and OCI

With more and more applications deployed on containers, simple orchestration tools are not enough to support complex production environments. ‘Container orchestration» becomes a problem space of its own. The rise of Kubernetes is the industry’s answer to the container orchestration problem, providing a way to manage containers at scale efficiently.

CRI (Container Runtime Interface) is a Kubernetes API to interface between Kubernetes orchestration features and container runtimes, such as containerd or CRI-O. The Open Container Initiative (OCI) defines a set of specifications to enable all these technologies to work together. Docker, runc, containerd, CRI-O are all OCI compatible.

Not clear on how Kubernetes vs Docker differ?
Read the Kubernetes vs Docker blog ›

Choosing the right Kubernetes distribution is crucial for your business.
Read the Kubernetes distribution comparison whitepaper ›

Containers vs virtual machines

Containers are a modern way to virtualise infrastructure, more lightweight than traditional virtual machines: all containers on a single host OS share the kernel and other resources, require less memory space, ensure greater resource utilisation and shorter startup times by orders of magnitude.

Docker vs LXD: comparing container technologies

Process containers (for example, Docker) and machine containers (traditional linux containers) are two types of container technologies that can address different use cases. Process containers typically contain a single application, while machine containers can contain one or more applications as well as their own operating system. Both container technologies share a kernel with the host operating system.

Docker is the most popular process container environment and allows for very small, immutable containers, containing only the application binaries and a minimal subset of libraries necessary for an application to run as a single process, requiring limited system resources.

LXD functions similarly to a traditional hypervisor and machine containers resemble virtual machines. Machine containers, also referred to as ‘system containers’ are larger compared to process containers, as well as stateful and mutable. They have an allocated filesystem, often containing a cut-down version of an operating system, which might include a shell and a limited number of daemons.

Docker is mostly used by developers making Platform-as-a-Service application instances more portable. LXD usage, on the other hand, is often driven by DevOps making Infrastructure-as-a-Service OS instances much faster.

Docker can run alongside LXD with both instances working together. Moreover, Docker can run inside of LXD with zero performance impact, allowing you to safely migrate your Docker containers between machines for easy scale-up and scale-down.

How to secure container images

Canonical’s Kubernetes and cloud native operations report showed that the best container images are secure, stable, and easy to use. While containerisation adds a layer of security by keeping workloads isolated from one another and the host system, it is not enough to secure an application.

Container images are made of software from many different projects and sources, not all equally well-maintained. Developers need to ask themselves what content can developers rely on today, tomorrow and for a long time thereafter. Particular attention should be paid to the base layer, specifically in selecting a frequently updated one with credible maintenance commitment, a large software ecosystem of well-maintained packages, and a great developer experience.

Canonical publishes a portfolio of base, runtime, and application images with an up to 10-year maintenance commitment. In collaboration with Docker, this content is publicly available on Docker Hub.

Источник