• Comparing Virtual Machines and Containers. Source: https://medium.com/@faizanbashir/docker-containers-101-e47f594a0ed
    image
  • The Linux container stack. Source: https://www.engineyard.com/blog/isolation-linux-containers
    image
  • A Docker image is built as multiple layers. Source: https://blog.docker.com/2015/10/docker-basics-webinar-qa/
    image

Containerization

Improve this article. Show messages.

Summary

Containerization is a technique that allows software to run reliably regardless of the computing environment. By encapsulating software within isolated environments called containers, we can more reliably port software across operating systems and hardware infrastructures.

Let's say, most of the development or testing is done on a developer's laptop. The software may work as expected on the laptop but when deployed on the server the software fails. This could be because the server is using different versions of libraries, has a different configuration or interfaces differently to other components of the system. Containerization solves this problem by providing a consistent and isolated runtime environment regardless of the underlying OS or hardware infrastructure.

For developers, what this means is the we are no longer deploying just the application software but deploying container images that contain the app along with its dependencies.

Milestones

1979

During the development of Unix V7 in 1979, the chroot system call is introduced, changing the root directory of a process and its children to a new location in the filesystem. In BSD Unix, this feature is introduced in 1982.

2000

FreeBSD Jails allow administrators to partition a FreeBSD computer system into several independent, smaller systems called jails, with the ability to assign an IP address for each system and configuration. In 2001, something similar is done by Linux VServer to partition resources (file systems, network addresses, memory) on a computer system.

2004

Oracle releases a Solaris Container called Solaris Zones that combines system resource controls and boundary separation provided by zones, which are able to leverage features like snapshots and cloning from ZFS.

2005

OpenVZ is an operating system-level virtualization technology for Linux that uses a patched Linux kernel for virtualization, isolation, resource management and checkpointing. Back then, the code is not released as part of the official Linux kernel.

2006

Process Containers is launched by Google. It's designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It's renamed Control Groups (cgroups) a year later and eventually merged to Linux kernel 2.6.24.

2008

LXC (LinuX Containers) is the first, most complete implementation of Linux container manager. It's implemented using cgroups and Linux namespaces. It works on a single Linux kernel without requiring any patches.

2013

Let Me Contain That For You (LMCTFY) is started as an open-source version of Google's container stack, providing Linux application containers. Applications can be made "container aware," creating and managing their own subcontainers. Active deployment in LMCTFY stopped in 2015 after Google started contributing core LMCTFY concepts to libcontainer, which is now part of the Open Container Foundation.

2013

Docker is released and containers explode in popularity. Docker uses LXC in its initial stages and later replaces that container manager with its own library, libcontainer. Later, Docker separates itself from the pack by offering an entire ecosystem for container management.

Discussion

  • What's a Container and what's in it?
    Understand containers by contrasting them against VMs. Source: Janetakis 2017.

    Containers consists of the runtime environment: an application, dependencies, libraries, binaries, and configuration files needed to run an application, bundled into one package. By containerizing the application platform and its dependencies, differences in OS distributions and underlying infrastructure are abstracted.

    Following are the components of container:

    • Include the application and all of its dependencies
    • Share the OS kernel with other containers
    • Not tied to infrastructure — only needs Docker Engine (or equivalent) installed on host
    • Run an isolated process in user space on the host OS
  • What are the benefits of Containers?

    Containers have a wide range of benefits:

    Benefits to Applications

    • Portable
    • Packaged in a standard way
    • Automated testing, packaging and integrations
    • Support newer microservices architectures
    • Alleviate platform compatibility issues

    Benefits to Deployment

    • Easy
    • Repeatable
    • Reliable deployments: improved speed and frequency of deployments
    • Consistent application lifecycle: configure once and run multiple times
    • Consistent environments: no more process differences between local, dev and staging environments
    • Simple scaling: Fast deployments ease the addition of workers and permit workload to grow and shrink for on-demand use cases
  • How is Virtualization different from Containerization?
    image
    Comparing Virtual Machines and Containers. Source: https://medium.com/@faizanbashir/docker-containers-101-e47f594a0ed

    With virtualization technology, the package that can be passed around is a Virtual Machine (VM). It includes an OS as well as the application. A server running three VMs would have a hypervisor and three separate operating systems running on top of it. By contrast, a server running three containerized applications runs on top of a single OS, all containers sharing the same OS kernel. Shared parts of the operating system are read only, while each container has its own mount (i.e., a way to access the container) and volumes for reading from and writing to the file system. This means that the containers are much more lightweight and use far fewer resources than virtual machines.

    Containerization has been called an operating system level virtualization, an operating system feature in which the OS kernel allows the existence of multiple isolated user-space instances. Instances are created from images that we can build and share. Instances created from images are called containers, partitions, virtualization engines or jails (FreeBSD). Applications running inside a container can only see the container's contents and devices assigned to the container.

  • What's the typical size of a container?

    Containers can only be tens of megabytes in size. For example, the Docker Alpine image is about 5 MB. A virtual machine with its entire OS may be several gigabytes in size. For this reason, a single server can host far more containers than virtual machines. Virtual machines may take several minutes to boot up their operating systems and start running the applications they host. However, containerized applications can be started almost instantly.

  • What is Linux Kernel Containment?
    image
    The Linux container stack. Source: https://www.engineyard.com/blog/isolation-linux-containers

    Linux Containers (LXC) is a more modern method of virtualizing an application. LXC leverages cgroups to isolate the CPU, memory, file/block I/O and network resources. LXC also uses namespaces to isolate the application from the operating system and separates the process trees, network access, user IDs, and file access.

    LXC is considered a technique that falls between chroot and a virtual machine. In version 1.0 of LXC, unprivileged containers are more secure because they run as regular unprivileged users.

  • What is Docker?
    image
    A Docker image is built as multiple layers. Source: https://blog.docker.com/2015/10/docker-basics-webinar-qa/

    Docker is built on top of LXC and adds image management and deployment assistance for virtualizing applications. Docker provides for automation and rapid provisioning of LXC cgroups without requiring a VM. Docker provides an API that extends the functionality of LXC for building Platform as a Service (PaaS) offerings. Since Docker is an open-source system, it could be used for a whole host of purposes.

    A runtime instance of a Docker image contains three things:

    • A Docker image
    • An execution environment
    • A standard set of instructions
  • Could you name some container implementations?

    Docker is the most popular one. Others include Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), and Solaris Containers.

  • How are containers used in mobile phones?

    Mobile phones also use containers to separate and run their apps securely. In fact, Android phones like the Nexus One use LXC on the Android kernel. McAfee provides a Secure Container for Android. Apple iPhones also use containers to compartmentalize applications and their data.

  • Which Linux distributions are suitable for use as a container host?

    Most Linux distributions are unnecessarily feature-heavy if their intended use is simply to act as a container host to run containers. For that reason, a number of Linux distributions have been designed specifically for running containers. Here are some examples:

    • Container Linux (formerly CoreOS Linux) — one of the first lightweight container operating systems built for containers
    • RancherOS — a simplified Linux distribution built from containers, specifically for running containers
    • Photon OS — a minimal Linux container host, optimized to run on VMware platforms
    • Project Atomic Host — Red Hat's lightweight container OS has versions that are based on CentOS and Fedora, and there's also a downstream enterprise version in Red Hat Enterprise Linux
    • Ubuntu Core — the smallest Ubuntu version, Ubuntu Core is designed as a host operating system for IoT devices and large-scale cloud container deployments
    • Alpine Linux — is a very tiny Linux distribution focused on security
  • What is Copy on Write (CoW)?

    Some operating-system-level virtualization implementations provide file-level copy-on-write (CoW) mechanisms. (Most commonly, a standard file system is shared between partitions, and those partitions that change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state.

  • What is the importance of Container Security?

    With the wide adoption of container-based applications, systems became more complex and risk increased, laying the groundwork for container security. Vulnerabilities like dirty copy-on-write only furthered this thinking. This led to a shift left in security along the software development lifecycle, making it a key part of each stage in container app development, also known as DevSecOps. The goal is to build secure containers from the ground up without reducing time to market.

References

  1. Hogg, Scott. 2014. "Software Containers: Used More Frequently than Most Realize." Network World, May 26. Accessed 2018-04-26.
  2. Janetakis, Nick. 2017. "Virtual Machines vs Docker Containers - Dive Into Docker." YouTube, July 2. Accessed 2018-05-13.
  3. Novoseltseva, Ekaterina. 2017. "Top 10 benefits you will get by using Docker." Apiumhub, March 4. Accessed 2018-05-11.
  4. Osnat, Rani. 2018. "A Brief History of Containers: From the 1970s to 2017." Aqua Blog, March 21. Accessed 2018-04-26.
  5. Rubens, Paul. 2017. "What are containers and why do we need them?" CIO, Jun 27. Accessed 2018-04-26.
  6. Wikipedia. 2018a. "Docker Software." Wikipedia, May 3. Accessed 2018-04-26.
  7. Wikipedia. 2018b. "Operating System Level Virtualization." Wikipedia, May 8. Accessed 2018-04-26.

Milestones

1979

During the development of Unix V7 in 1979, the chroot system call is introduced, changing the root directory of a process and its children to a new location in the filesystem. In BSD Unix, this feature is introduced in 1982.

2000

FreeBSD Jails allow administrators to partition a FreeBSD computer system into several independent, smaller systems called jails, with the ability to assign an IP address for each system and configuration. In 2001, something similar is done by Linux VServer to partition resources (file systems, network addresses, memory) on a computer system.

2004

Oracle releases a Solaris Container called Solaris Zones that combines system resource controls and boundary separation provided by zones, which are able to leverage features like snapshots and cloning from ZFS.

2005

OpenVZ is an operating system-level virtualization technology for Linux that uses a patched Linux kernel for virtualization, isolation, resource management and checkpointing. Back then, the code is not released as part of the official Linux kernel.

2006

Process Containers is launched by Google. It's designed for limiting, accounting and isolating resource usage (CPU, memory, disk I/O, network) of a collection of processes. It's renamed Control Groups (cgroups) a year later and eventually merged to Linux kernel 2.6.24.

2008

LXC (LinuX Containers) is the first, most complete implementation of Linux container manager. It's implemented using cgroups and Linux namespaces. It works on a single Linux kernel without requiring any patches.

2013

Let Me Contain That For You (LMCTFY) is started as an open-source version of Google's container stack, providing Linux application containers. Applications can be made "container aware," creating and managing their own subcontainers. Active deployment in LMCTFY stopped in 2015 after Google started contributing core LMCTFY concepts to libcontainer, which is now part of the Open Container Foundation.

2013

Docker is released and containers explode in popularity. Docker uses LXC in its initial stages and later replaces that container manager with its own library, libcontainer. Later, Docker separates itself from the pack by offering an entire ecosystem for container management.

Tags

See Also

Further Reading

  1. A Practical Introduction to Container Terminology
  2. What are containers and why do we need them?
  3. Software Containers: Used More Frequently than Most Realize
  4. Operating System Level Virtualization
  5. A Brief Introduction to Linux Containers with LXC

Top Contributors

Last update: 2018-05-13 10:08:01 by arvindpdmn
Creation: 2017-03-17 06:36:35 by arvindpdmn

Article Stats

1532
Words
4
Chats
2
Authors
7
Edits
7
Likes
1258
Hits

Cite As

Devopedia. 2018. "Containerization." Version 7, May 13. Accessed 2018-12-15. https://devopedia.org/containerization
BETA V0.18