Containers
Built on top of cgroups and namespaces
Containers are enabled by the linux kernel features of cgroups and namespaces.
cgroups: provides namespace isolation and abilities to limit, account and isolate resource usage (CPU, memory, disk I/O, network, etc.) of process groups.
Docker
An open source Linux containerization technology. Package, distribute and runtime solution.
Does Docker use LXC?
Previously Docker used LXC as its default execution environment.
Since the release of version 0.9, Docker replaced LXC (liblxc) with its own component, libcontainer, which was written in Golang.
runc is basically a repackaging of libcontainer, to comply with the OCI spec. You can find libcontainer code in the runc repo: https://github.com/opencontainers/runc
LXC
Linux Containers (LXC): on top of cgroups, operating system–level virtualization technology for running multiple isolated Linux systems (containers) on a single control host.
LXC's main focus is system containers: containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware (i.e. a full Linux OS inside a container).
LXD
- Canonical suppots LXC, but fully owns LXD.
- LXD can run both KVM-based VMs, or on top of LXC (providing a REST API on top of
liblxc).
Docker vs LXC
- Docker: application container
- LXC: system container
gVisor
https://github.com/google/gvisor
A user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. It leverages existing host kernel functionality and runs as a normal user-space process. For running untrusted workloads. Lower memory and startup overhead compared to a full VM.
bootc
Boot and upgrade via container images.