
Containers vs. Zones vs. Jails vs. VMs (2017) - gullyfur
https://blog.jessfraz.com/post/containers-zones-jails-vms/
======
outworlder
> A “container” is just a term people use to describe a combination of Linux
> namespaces and cgroups. Linux namespaces and cgroups ARE first class
> objects. NOT containers.

Amen.

Somewhat tangential note: most developers I have met do not understand what a
'container' is. There's an aura of magic and mystique around them. And a heavy
emphasis on Docker.

A sizable fraction will be concerned about 'container overhead' (and
"scalability issues") when asked to move workloads to containers. They are
usually not able to explain what the overhead would be, and what could
potentially be causing it. No mention to storage, or how networking would be
impacted, just CPU. That's usually said without measuring the actual
performance first.

When I press further, what I most commonly get is the sense that they believe
that containers are "like VMs, but lighter"(also, I've been told that,
literally, a few times, specially when interviewing candidates). To this day,
I've heard CGroups being mentioned only once.

I wonder if I'm stuck in the wrong bubble, or if this is widespread.

~~~
CBLT
> To this day, I've heard CGroups being mentioned only once.

See
[https://www.kernel.org/doc/Documentation/cgroup-v2.txt](https://www.kernel.org/doc/Documentation/cgroup-v2.txt)

> "cgroup" stands for "control group" and is never capitalized. The singular
> form is used to designate the whole feature and also as a qualifier as in
> "cgroup controllers". When explicitly referring to multiple individual
> control groups, the plural form "cgroups" is used.

To this day, I've heard cgroup mentioned only once...

To put forth a more substantive argument, everybody has a layer of abstraction
they do not peek under. You interviewed people that didn't peek under
container. You went a layer deeper, but never peeked at the source tree to
learn what cgroup really is. Does it really feel that much better to be one
level above others?

~~~
xelxebar
> To put forth a more substantive argument, everybody has a layer of
> abstraction they do not peek under.

Sure. Though it's reasonable to want your level N developers to have some idea
of what goes on at levels N-1 and perhaps N-2, _cf._ Law of Leaky Abstractions
_etc._ It's similar to wanting your developers to be aware of their users'
needs, which are level N+1 concerns.

~~~
pmichaud
Yeah, I wonder if there's an "optimal target" for the number of layers up and
down you'd ideally be aware of. It has to be at least yours, and ones
immediately above and below, but I see innovation coming from people with
unusually keen insight into layers further away--eg. people making brilliant
architectural decisions because they really, really know what the consumers of
an api need and how those people think about the domain. Or vice versa,
someone making something radically better or faster in a web app because they
really get how the linux kernal is implemented.

It seems like cases where that deep knowledge is an advantage are rare but
also very high value. I wonder how the EV pans out, both for individuals and
orgs.

------
moonchild
I'm a bit disappointed it didn't go into detail into the way jails differ from
zones. VMs I understand, but it seemed like the main point of the post was to
distinguish containers from the other three.

~~~
nickik
All the detail you could possible want:

[https://www.youtube.com/watch?v=hgN8pCMLI2U](https://www.youtube.com/watch?v=hgN8pCMLI2U)

------
mooreds
Note this is from 2017. Previous discussion:
[https://news.ycombinator.com/item?id=13982620](https://news.ycombinator.com/item?id=13982620)

~~~
dang
Year added. Thanks!

------
dirtydroog
For my workload I've struggled to see the advantage containers would give me.
Maybe someone here can convince me, rather than the current justification of
'docker all the things'.

We have servers, they handle a lot of traffic. It's the only thing running on
the machines and takes over all the resources of the machine. It will need all
the RAM, and all 16 vCPUs are at ~90%.

It's running on GCP. To rollout we have a jenkins job that builds a tag,
creates a package (dpkg) and builds an image. There's another jenkins job that
deploys the new image to all regions and starts the update process,
autoscaling and all that.

Can containers help me here?

~~~
pbecotte
If you already have all of that working, why would you change? Containers are
valuable for a couple things-

1\. Packaging and distribution- it's very easy to set up a known good
filesystem using docker images and reuse that. There are other solutions- dpkg
plus ansible would be an example.

2\. Standardized control- all apps using 'docker run' vs a mix of systemd and
shell scripts can simplify things.

3\. Let's you tie into higher level orchestration layers like k8s where you
can view your app instances as a single thing. There are other solutions here
as well.

4\. Can use the same image on dev machines as prod instead of needing two
parallel setup schemes.

If you already are happy with your infra, certainly don't change it. I think
once you know containers they are a convenient solution to those problems, but
if stuff is setup they already missed their shot.

------
nfoz
So.... are any or all of these what you would call a process "sandbox"? Do
operating systems make it easy to sandbox an application from causing harm to
the system? What more could be done to make that a natural, first-class
feature?

Like, let's say you found some binary and you don't know what it does, and
don't want it to mess anything up. Is there an easy way to run it securely?
Why not? And how about giving it specific, opt-in permissions, like limited
network or filesystem access.

------
codeape
I do not understand docker on windows.

If I understand correctly, when I run a docker image on Linux then the
dockerized processes's syscalls are all executed by the host kernel (since -
again if I understand correctly - the dockerized process executes more or less
like a normal process, just in isolated process and filesystem namespace).

Is this correct?

But how does docker on windows work?

~~~
codeape
Found this: [https://stackoverflow.com/questions/41550727/how-does-
docker...](https://stackoverflow.com/questions/41550727/how-does-docker-for-
windows-run-linux-containers)

And:

[https://dockercon.docker.com/watch/U7Bxp66uKmemZssjCTyXkm](https://dockercon.docker.com/watch/U7Bxp66uKmemZssjCTyXkm)

------
deg4uss3r
My only problem with this article is there is no such thing as "Legos". Jess
is brilliant and explains things super well here.

