chroot only affects a processes view of the filesystem it doesn’t affect:
- the process’s view of other processes (i.e. ps isn’t isolated)
- the process’s view of the kernel’s VFS, (i.e. mount isn’t isolated)
- the process’s view of the networking stack (i.e. ifconfig and iptables aren’t isolated, and socket numbers are global)
- the process’s view of users on the system (i.e. uids/gids are global)
And so with time, the hostname, IPC, cgroups…
And more are planned on being added like the kernel keyring, and /dev/log.
“containers” means a lot of different things to different people but the main things people want are.
- resource bundling: “take everything your app needs to run, and tar it up so that it all stays together. Don’t make me worry too much about missing libraries.
- sandboxing: don’t make me have to worry too much about what else is going on the system when I run my thing and reduce the surface area for attacks.
- delivery (the big value add): give me a bunch of tooling to create that tar, version it, and get it running on a bunch of different systems without have to worry too much about the underlying OS, hardware, network setup, or storage.
And bonus for things like k8s.
- service bundling: give me a bunch of tooling to get many of those tars running on different systems and don’t make me worry too much about service discovery, load balancing, software crash recovery, hardware crash recovery, deployments, task scheduling, secrets, config files and more.
- the process’s view of other processes (i.e. ps isn’t isolated)
- the process’s view of the kernel’s VFS, (i.e. mount isn’t isolated)
- the process’s view of the networking stack (i.e. ifconfig and iptables aren’t isolated, and socket numbers are global)
- the process’s view of users on the system (i.e. uids/gids are global)
And so with time, the hostname, IPC, cgroups…
And more are planned on being added like the kernel keyring, and /dev/log.
“containers” means a lot of different things to different people but the main things people want are.
- resource bundling: “take everything your app needs to run, and tar it up so that it all stays together. Don’t make me worry too much about missing libraries.
- sandboxing: don’t make me have to worry too much about what else is going on the system when I run my thing and reduce the surface area for attacks.
- delivery (the big value add): give me a bunch of tooling to create that tar, version it, and get it running on a bunch of different systems without have to worry too much about the underlying OS, hardware, network setup, or storage.
And bonus for things like k8s.
- service bundling: give me a bunch of tooling to get many of those tars running on different systems and don’t make me worry too much about service discovery, load balancing, software crash recovery, hardware crash recovery, deployments, task scheduling, secrets, config files and more.