Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Where the author talks about containers you can mentally substitute cgroups since Linux containers are cgroups + namespaces.


That's how I look at it too, but lots of people don't look at it that way, hence all the handwaving about "too heavyweight" and "seems like overkill" etc.

Largely because of Docker and Kubernetes, many think of a container as all of the following:

1. A cgroup + [all or nearly all of the] unshare-able namespaces

2. A writable, disposable overlay on top of an immutable "image", which may be lazily downloaded and extracted

3. A resource managed by a userspace daemon managed by a userspace utility over a socket

4. Optionally, a seccomp-bpf filter or apparmor profile or something

But there's a whole useful spectrum between a vanilla process and a Docker container like that. Lots of points on that spectrum still feel highly container-ized but aren't really much more heavyweight than a vanilla process.

Beyond that, in the point about PID namespaces, the author should mention that there are ultra-light-weight init implementations that are barely a factor in overhead.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: