Some point are just wrong. Containers and jails have many design similarities which were dismissed by author. Notably PIDs, both containers and jails are nearly identical with regard, you can kind of have one leg here another there, although that harder to achieve with FreeBSD jails; both implementations do not hide PIDs from the host systems. Networking - jails can run on top of non-virtualazed IP/net dev, containers can run in such modes as well. Link is someones rant without tech details.
I think you missed the point of the article completely.
Which is:
Containers are not actually a _thing_. BSD Jail is a _thing_, Zones are a _thing_... Linux containers are just a particular configuration of _multiple things_.
PIDs in containers CAN be like PIDs in BSD Jails... if that is what you want. It's up to you to use what Linux primitives you want in your containers.
For example:
I can run a application in a 'linux container' that shares PID, user, and network namespace with the main OS.. and the only thing that is different is that the file system is namespaced. I can run cgroups without running namespaces. I can run namespaces without cgroups.
Now if you want to talk about _Docker containers_ then, yes, that is a _thing_, but it's just one of many different possible ways to have Linux containers.
No, from the article 'Solaris Zones, BSD Jails, and VMs are first class concepts.' It's just happens that jail as a name, jail as a cmd tool and jail as a system call bears the same name. Nothing stops one to implement superfancyjails on top of that system call. Same story with Linux containers, we have clone(), unshare(), and setns() and couple of popular implementations on top of them.
Thus, lets say, 'man systemd-nspawn' container is _thing_ as 'man 8 jail' is _thing_
You're splitting hairs to explain something that doesn't matter. The article stands well on its own two feet without nitpicking the similarities as you have done.
Do you have a good overview of how to use pieces of FreeBSD jails without using the whole thing? I've interacted (under duress) with FreeBSD jails in production, but I definitely found it a lot easier to learn about Linux containers / namespaces / cgroups.
to get a shell in the least isolated jail possible. It's that simple. Read the "Jail Parameters" section in `man jail` to see what you can add to this, e.g.:
'man jail_attach' is somewhat extensive if you wish do your things like one fork in one jail another in another. I have to admit similar thing you can do in linux containers just bu spawning 'nsenter' with various parameters.
Jails (on FreeBSD) each get their own IP address(es) which may be associated with the same network interface.
With ZFS, one can use a common "template" filesystem for jails such that updates to the userland or the ports tree only need to be applied to the base file system once and become visible in all jails (as far as I understand ZFS, at least).
To my knowledge, it is not possible to have a process be visible in several jails at once. Each process has a jail ID associated with it, and it is visible only inside the corresponding jail (and the host system, of course).
FreeBSD jails can share IP with the host systems. Also multiple FreeBSD jails can share the same IP from the host system. Jails are IP level isolated in contrast with linux namespace containers which do interface level isolation.
Shared file systems, sure; sharing TCP/IP stack, sure; same process in multiple jails, no (except that processes are visible both in a jail plus its parent jail; jails can be nested).
Yes. And perhaps you can start with historical material http://linux-vserver.org/Paper
That happened long before current linux namespaces and influenced them in many aspects.
As fro modern implementation https://lwn.net/Articles/531114/ and further
This article helped me clear few things about internals of container while I was preparing for Docker introduction presentation. It contains few C programs to get better idea than just theory:
https://blog.selectel.com/containerization-mechanisms-namesp...
Yeah. I feel like the author could really have used a little more time in the industry, really maybe gotten to know about the subject matter before writing a blog post. If only she had spent some time working at a container company, or maybe studied up to work at one of the big tech firms. What a missed opportunity to be more technical.
I'm going to be captain obvious here and let people know that the post I'm replying to is being extremely sarcastic. The author of the article is extremely well known in the Linux container community.
Please read the context to which I replied. That's usually the discussion someone is referring to when they mention 'the discussion' in a reply. The OP highlighted specific issues with the analysis in the article and then someone shit on it with a sarcastic reply.
Since you are being sarcastic, I don't think a docker engineer had much experience with a jail() system call to speak about flexibility of non-linux OS primitives.
