Containers

Introduction to Linux containers.

What are containers?

https://www.synopsys.com/blogs/software-security/wp-content/uploads/2018/04/containers-rsa.jpg

A Container can be seen as a minimal virtual environment that can be used in any Linux-compatible machine (and beyond).

Using containers is time- and resource-saving as they allow:

  • Controlling for software installation and dependencies.

  • Reproducibility of the analysis.

Containers allow us to use exactly the same versions of the tools.

Virtual machines or containers ?

Virtualisation

Containerisation (aka lightweight virtualisation)

Abstraction of physical hardware

Abstraction of application layer

Depends on hypervisor (software)

Depends on host kernel (OS)

Do not confuse with hardware emulator

Application and dependencies bundled all together

Enable virtual machines

Every virtual machine with an OS (Operating System)

Virtualisation

  • Abstraction of physical hardware

  • Depends on hypervisor (software)

  • Do not confuse with hardware emulator

  • Enable virtual machines:

    • Every virtual machine with an OS (Operating System)

Containerisation (aka lightweight virtualisation)

  • Abstraction of application layer

  • Depends on host kernel (OS)

  • Application and dependencies bundled all together

Virtual machines vs containers

https://raw.githubusercontent.com/collabnix/dockerlabs/master/beginners/docker/images/vm-docker5.png

Source

Pros and cons

ADV

Virtualisation

Containerisation

PROS.

  • Very similar to a full OS.

  • High OS diversity

  • No need of full OS installation (less space).

  • Better portability

  • Faster than virtual machines.

  • Easier automation.

  • Easier distribution of recipes.

  • Better portability.

CONS.

  • Need more space and resources.

  • Slower than containers.

  • Not that good automation.

  • Some cases might not be exactly the same as a full OS.

  • Still less OS diversity, even with current solutions

History of containers

chroot

  • chroot jail (BSD jail): first concept in 1979

  • Notable use in SSH and FTP servers

  • Honeypot, recovery of systems, etc.

https://sysopsio.files.wordpress.com/2016/09/linux-chroot-jail.png

Additions in Linux kernel

  • First version: 2008

  • cgroups (control groups), before “process containers”

    • isolate resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes

  • Linux namespaces

    • one set of kernel resources restrict to one set of processes

_images/linux-vs-docker-comparison-architecture-docker-lxc.png