Search

OS-level virtualization

(Redirected from Linux containers)

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers (LXC, Solaris containers, AIX WPARs, HP-UX SRP Containers, Docker, Podman), zones (Solaris containers), virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels (DragonFly BSD), or jails (FreeBSD jail or chroot jail).[1] Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources (connected devices, files and folders, network shares, CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

On Unix-like operating systems, this feature can be seen as an advanced implementation of the standard chroot mechanism, which changes the apparent root folder for the current running process and its children. In addition to isolation mechanisms, the kernel often provides resource-management features to limit the impact of one container's activities on other containers. Linux containers are all based on the virtualization, isolation, and resource management mechanisms provided by the Linux kernel, notably Linux namespaces and cgroups.[2]

The term container, while most popularly referring to OS-level virtualization systems, is sometimes ambiguously used to refer to fuller virtual machine environments operating in varying degrees of concert with the host OS, e.g., Microsoft's Hyper-V containers. A more historic overview of virtualization in general since 1960 can be found in the Timeline of virtualization development.

Operation

On ordinary operating systems for personal computers, a computer program can see (even though it might not be able to access) all the system's resources. They include:

  • Hardware capabilities that can be employed, such as the CPU and the network connection
  • Data that can be read or written, such as files, folders and network shares
  • Connected peripherals it can interact with, such as webcam, printer, scanner, or fax

The operating system may be able to allow or deny access to such resources based on which program requests them and the user account in the context in which it runs. The operating system may also hide those resources, so that when the computer program enumerates them, they do not appear in the enumeration results. Nevertheless, from a programming point of view, the computer program has interacted with those resources and the operating system has managed an act of interaction.

With operating-system-virtualization, or containerization, it is possible to run programs within containers, to which only parts of these resources are allocated. A program expecting to see the whole computer, once run inside a container, can only see the allocated resources and believes them to be all that is available. Several containers can be created on each operating system, to each of which a subset of the computer's resources is allocated. Each container may contain any number of computer programs. These programs may run concurrently or separately, and may even interact with one another.

Containerization has similarities to application virtualization: In the latter, only one computer program is placed in an isolated container and the isolation applies to file system only.

Uses

Operating-system-level virtualization is commonly used in virtual hosting environments, where it is useful for securely allocating finite hardware resources among a large number of mutually-distrusting users. System administrators may also use it for consolidating server hardware by moving services on separate hosts into containers on the one server.

Other typical scenarios include separating several programs to separate containers for improved security, hardware independence, and added resource management features.[3] The improved security provided by the use of a chroot mechanism, however, is not perfect.[4] Operating-system-level virtualization implementations capable of live migration can also be used for dynamic load balancing of containers between nodes in a cluster.

Overhead

Operating-system-level virtualization usually imposes less overhead than full virtualization because programs in OS-level virtual partitions use the operating system's normal system call interface and do not need to be subjected to emulation or be run in an intermediate virtual machine, as is the case with full virtualization (such as VMware ESXi, QEMU, or Hyper-V) and paravirtualization (such as Xen or User-mode Linux). This form of virtualization also does not require hardware support for efficient performance.

Flexibility

Operating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other operating systems such as Windows cannot be hosted. Operating systems using variable input systematics are subject to limitations within the virtualized architecture. Adaptation methods including cloud-server relay analytics maintain the OS-level virtual environment within these applications.[5]

Solaris partially overcomes the limitation described above with its branded zones feature, which provides the ability to run an environment within a container that emulates an older Solaris 8 or 9 version in a Solaris 10 host. Linux branded zones (referred to as "lx" branded zones) are also available on x86-based Solaris systems, providing a complete Linux user space and support for the execution of Linux applications; additionally, Solaris provides utilities needed to install Red Hat Enterprise Linux 3.x or CentOS 3.x Linux distributions inside "lx" zones.[6][7] However, in 2010 Linux branded zones were removed from Solaris; in 2014 they were reintroduced in Illumos, which is the open source Solaris fork, supporting 32-bit Linux kernels.[8]

Storage

Some implementations provide file-level copy-on-write (CoW) mechanisms. (Most commonly, a standard file system is shared between partitions, and those partitions that change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state.

Implementations

MechanismOperating systemLicenseActively developed since or betweenFeatures
File system isolationCopy on writeDisk quotasI/O rate limitingMemory limitsCPU quotasNetwork isolationNested virtualizationPartition checkpointing and live migrationRoot privilege isolation
chrootMost UNIX-like operating systemsVaries by operating system1982Partial[a]NoNoNoNoNoNoYesNoNo
DockerLinux,[10] Windows x64[11] macOS[12]Apache license 2.02013YesYesNot directlyYes (since 1.10)YesYesYesYesOnly in experimental mode with CRIU [1]Yes (since 1.10)
Linux-VServer
(security context)		Linux, Windows Server 2016GNU GPLv22001YesYesYesYes[b]YesYesPartial[c]?NoPartial[d]
lmctfyLinuxApache license 2.02013–2015YesYesYesYes[b]YesYesPartial[c]?NoPartial[d]
LXCLinuxGNU GPLv22008Yes[14]YesPartial[e]Partial[f]YesYesYesYesYesYes[14]
SingularityLinuxBSD Licence2015[15]Yes[16]YesYesNoNoNoNoNoNoYes[17]
OpenVZLinuxGNU GPLv22005YesYes[18]YesYes[g]YesYesYes[h]Partial[i]YesYes[j]
VirtuozzoLinux, WindowsTrialware2000[22]YesYesYesYes[k]YesYesYes[h]Partial[l]YesYes
Solaris Containers (Zones)illumos (OpenSolaris),
Solaris		CDDL,
Proprietary		2004YesYes (ZFS)YesPartial[m]YesYesYes[n][25][26]Partial[o]Partial[p][q]Yes[r]
FreeBSD jailFreeBSD, DragonFly BSDBSD License2000[28]YesYes (ZFS)Yes[s]YesYes[29]YesYes[30]YesPartial[31][32]Yes[33]
vkernelDragonFly BSDBSD Licence2006[34]Yes[35]Yes[35]?Yes[36]Yes[36]Yes[37]??Yes
sysjailOpenBSD, NetBSDBSD License2006–2009YesNoNoNoNoNoYesNoNo?
WPARsAIXCommercial proprietary software2007YesNoYesYesYesYesYes[t]NoYes[39]?
iCore Virtual AccountsWindows XPFreeware2008YesNoYesNoNoNoNo?No?
SandboxieWindowsGNU GPLv32004YesYesPartialNoNoNoPartialNoNoYes
systemd-nspawnLinuxGNU LGPLv2.1+2010YesYesYes[40][41]Yes[40][41]Yes[40][41]Yes[40][41]Yes??Yes
TurboWindowsFreemium2012YesNoNoNoNoNoYesNoNoYes
rkt (rocket)LinuxApache license 2.02014[42]–2018YesYesYesYesYesYesYes??Yes

Linux containers not listed above include:

  • LXD, an alternative wrapper around LXC developed by Canonical[43]
  • Podman,[44] an advanced Kubernetes ready root-less secure drop-in replacement for Docker with support for multiple container image formats, including OCI and Docker images
  • Charliecloud, a set of container tools used on HPC systems[45]
  • Kata Containers MicroVM Platform[46]
  • Bottlerocket is a Linux-based open-source operating system that is purpose-built by Amazon Web Services for running containers on virtual machines or bare metal hosts[47]
  • Azure Linux is an open-source Linux distribution that is purpose-built by Microsoft Azure and similar to Fedora CoreOS

See also

Notes

References

Retrieved from "https:https://www.search.com.vn/wiki/index.php?lang=en&q=OS-level_virtualization&oldid=1226448754#Implementations"
🔥 Top keywords: Main PageShannen DohertySpecial:SearchCarlos AlcarazList of United States presidential assassination attempts and plotsAttempted assassination of Donald TrumpDonald TrumpRichard Simmons2024 shooting at a Donald Trump rallyLamine YamalNovak DjokovicNico WilliamsUEFA European ChampionshipWikipedia:Featured picturesThomas Matthew CrooksProject 2025Attempted assassination of Ronald ReaganUEFA Euro 2024Jacoby JonesAR-15–style rifleMukesh AmbaniLonglegsSpain national football teamKimberly CheatleKalki 2898 ADList of Wimbledon gentlemen's singles championsCole PalmerGareth SouthgateJohn Hinckley Jr.Harry KaneLuke PerryAntifa (United States)United States Secret Service.xxxDeaths in 2024Ruth WestheimerEvan VucciButler, PennsylvaniaIndian 2