Process Containers
This is not a thorough discussion about process containers. This post is an introduction and a bag of resources.
Why containers?
We have been using virtualization technology in developing and deploying the software systems. Now, why are we using containers? What are the advantages of using containers? Here are some advantages of containerization of applications.
- Container images can be easily exchanged
- Less performance overhead
- Lower the cost
- Security
- Ease in deploying microservices architecture.
Process Containers is a way to run many isolated applications on a single host. When your application has many processes/services that needs to co-ordinate with each other, then you can containerize each of these processes. This idea has many benefits. For example, a web server and a database server co-ordinate each other to make up your web application. You can create a container for web server and one for database server and connect them. This ensure that if attackers compromised a container, they will have only that container, as they are blind to outside of the container.
What are containers?
Containers are awesome Kernel Parlor Tricks.
Containerization is operating-system-level-virtualization or simply — isolation. When we take a set of processes and isolate them from rest of the processes, and restrict them to use a specified amount of system resources (CPU, memory, disk etc.), then we call them a container. Containers are possible because of the Control Groups (For managing and monitoring resource usage) and Namespaces (To isolate processes) that are part of Linux Kernel.
Container is a set of isolated processes — means processes inside the container will not be aware of anything outside the container. You isolate a group of processes. And restrict that group to use a specified amount of resources. Then, any of the processes can overeat the specified amount of resources — there by making the other processes in that set to starve or to terminate. To avoid that docker recommends and enforces one process per container.
You might have played with containers, may be with the help from any of the technologies — like docker. But, you can create a container yourself. For more insights of containers, and comparison of virtualization and containers, refer Architecting Containers*.
Docker
When I was trying the docker technology,
It made to think: Why do we need a base image,
if the process in the container is using the same kernel of the host?
The answer is in the question itself.
Containers will only use the kernel of the host — not the userland software.
Base image contain the userland of the distribution on which we want our application
to run.
Different linux distributions have different userland software.
We have another technology — kubernetes. We need kubernetes because containers can’t think outside the kernel
More Resources
- Architecting Containers*
- Make Containers Contain and Work for You discusses security aspect of containers — especially in Docker.
- The Application Apartment Complex: Red Hat Enterprise Linux & Linux Containers
- What are containers and why do you need them?
- Operating System Containers vs. Application Containers