Unix and Linux → Linux Containers

Hello,

So i've been reading about containers for a little while and i have one main question:

Basically, when you create a container with ubuntu or debian, etc, you are pretty much just running that kernel inside whatever OS you already have, correct? And to run applications, you just install the applications on the container and tthat;s pretty much it, correct?

For example, i have a Debian installed on my new HP DLxxx server, i install LXC on it, then i create a container with Ubuntu, SuSE, and another one with Debian. Then on one of them i install and configure, MySQL, Apache, and FTP.

Did i get it right? I am a bit confused with the images you download.

Docker is just a fancy LXC, with "app store" etc, correct?

Thanks

Here's how to make a very minimal container for yourself.

There's a program called 'unshare'. It has a number of parameters specifying a namespace to be unshared. Try it. Here's an example of the network namespace.

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr F2:A7:0D:B8:3A:72  
          inet addr:192.168.0.4  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::f0a7:dff:feb8:3a72/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:226500 errors:0 dropped:52 overruns:0 frame:0
          TX packets:169733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:28909047 (27.5 Mb)  TX bytes:11884155 (11.3 Mb)
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:112 (112.0 b)  TX bytes:112 (112.0 b)
 
# unshare -n $SHELL
# ifconfig -a
lo        Link encap:Local Loopback  
          LOOPBACK  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
 

You've created a new "network namespace". While in this space you have completely isolated networking resources (with about the only exception being Unix sockets which are visible on the filesystem). But if you check the process list, etc you'll see what you'd expect if you didn't run unshare. You're still on the same kernel as the "host" and your resources are allocated as though you were just a single process running on the host. Which it is.

Containers use all the unshare options (typically) to provide what looks like a completely isolated system. You even get your own PID #1 process and your typical /sbin/init will gladly launch a whole Linux distribution. From here you can use your favourite software management tools to install anything you want. What's strange is that all container processes are visible on the host's process list.

If LXC is the generic tool capable of any container configuration you can dream of (if you can write the config file for it) then Docker is the simplified and targeted container tool. Yes you can save and distribute images. It's targeted at running applications rather than full blown distributions. At least that's how I understand it - I'm running centos 6 and it hasn't been available until 6.5 was available at which point I became an LXC guru. :/