Fedora Linux Support Community & Resources Center
  #1  
Old 23rd June 2015, 12:07 AM
lsatenstein Offline
Registered User
 
Join Date: Jun 2005
Location: Montreal, Que, Canada
Posts: 4,286
linuxfedorafirefox
What is with Containers.

I
Now I understand there will be big changes coming for Fedora23 where fedup may not be required in the same way. Perhaps the rpmfusion repositories will just indicate "Fedora!" and not indicate Fedora21 or Fedora22. And we may see the conversion of some applications from rpm to containers.

And with containers, if I understand properly, a container application will include all it's libraries (statically linked). so that the interfaces to Linux will be few and standardized.

I think or imagine a container to be a self contained runtime module. Will future Linux trends l bring changes to future hardware with 16gig ram desktop or laptop computers as the norm?

As I understand the future, two container packages (applications) will coexist in ram, and yet each may have the same internally statically linked libraries or different generations of that library.
__________________
Leslie in Montreal

Interesting web sites list
http://forums.fedoraforum.org/showth...40#post1697840
Reply With Quote
  #2  
Old 23rd June 2015, 05:22 AM
ocratato Offline
Registered User
 
Join Date: Oct 2010
Location: Canberra
Posts: 2,631
linuxfirefox
Re: What is with Containers.

I believe Containers are more like virtual machines that share the kernel rather than statically linked programs.
A container for a package might consist of several programs and all the shared libraries that they use, plus configuration data etc. The idea is that as long as the kernel has some minimum functionality then the package will run on any Linux installation.

NOTE that I am basing this on a bit of reading - I have never used a container.

I am rather curious about how it would work for GUI programs.

I would see containers as being useful for large systems of programs rather than individual programs. It should also make distribution of binary programs a lot less painful so we will see more commercial applications distributed this way.

Not sure that is a plus for the open source cause.
__________________
Has anyone seriously considered that it might be turtles all the way down?
That's very old fashioned thinking.
The current model is that it's holographic nested virtualities of turtles, all the way down.
Reply With Quote
  #3  
Old 23rd June 2015, 02:25 PM
stevea
Guest
 
Posts: n/a
linuxcroschrome
Re: What is with Containers.

Quote:
Originally Posted by lsatenstein View Post
...

And with containers, if I understand properly, a container application will include all it's libraries (statically linked). so that the interfaces to Linux will be few and standardized.
I'm pretty certain that's wrong. First, there is at most a microscopic advantage in statically linked libs over dynamic. Second - no one rational is going to rebuild all the apps you might want to run in a container with statically linked libs.

Quote:
I think or imagine a container to be a self contained runtime module. Will future Linux trends l bring changes to future hardware with 16gig ram desktop or laptop computers as the norm?
Not quite. Containers use the separate namespace feature of the kernel and effectively you are running an entire separate Linux user-space using the same Linux kernel. Fortunately all the recent kernels will support the not-so-recent glibs interfaces, so you can containerize across a decent range of kernels.

So you can create your own container by installing (for example) Centos7 base libraries and all the dependencies up to apache package + some web service packages. Then you can run apache in that separate containers (having exposed the tcp ports) and access the apache server.

Of course there are a lot of up-to-date docker images out on github, w/ the unnecessary stuff stripped out. So you can just download the Centos7 w/ Apache & webmail (or whatever and instantiate a container from it.

Quote:
As I understand the future, two container packages (applications) will coexist in ram, and yet each may have the same internally statically linked libraries or different generations of that library.
No - a statically linked library (foo.a) is only useful when a compiler creates a new executable - resolves at link-time instead of at load-time for dynamics. Once linked into an app, a static library has no value to other apps, the binary is mangled.

PERHAPS they are saying that they are creating a way to share shared libraries across containers. (two instances of a Centos7.1 container for example).


Quote:
Originally Posted by ocratato View Post
I believe Containers are more like virtual machines that share the kernel rather than statically linked programs.
A container for a package might consist of several programs and all the shared libraries that they use, plus configuration data etc. The idea is that as long as the kernel has some minimum functionality then the package will run on any Linux installation.
Right, but note there there are almost no - zero "statically linked programs". Even initramfs is chock full of shared libraries.


Quote:
I am rather curious about how it would work for GUI programs.
I only used containers for a few weeks back when they came out over a year ago. My guess is that you should be able to create another Xserver (with Xnest, or Xephyr or another vid card) and give the container network access to that. I used to do remote (ssh) sessions to Fedora systems that way.

Quote:
I would see containers as being useful for large systems of programs rather than individual programs. It should also make distribution of binary programs a lot less painful so we will see more commercial applications distributed this way.
Mostly agree. Back in the early days you couldn't use the init/systemd on the container usefully, so you had to manually dither all the bits to startup a service. I *believe* that's no longer true.

But yeah - when you want to get a cross development platform from a chip vendor, they could just point you to a docker image and ... zero headaches.

Quote:
Not sure that is a plus for the open source cause.
Yes, It means that any SW developer can release a very stable (one support OS) binary release and have it run as a container on all sort of Lin platforms. It's not a lot different from the packages around today that include their own libraries and java. But, yes, the open source stuff already has decent portability (via recompile) but the closed-source guys will have some decent binary portability. In practice, when I get a cross-development toolset package from TI and it only runs on Ubuntu-10.04, it's already ac case where I don't need the headaches involved in porting & recompiling & debugging - even if it's all open source.

Despite the boon to closed-source, binary portability of this this sort is an advantage to Linux.
Reply With Quote
  #4  
Old 23rd June 2015, 02:53 PM
upnort Offline
Registered User
 
Join Date: Oct 2014
Location: milky way
Posts: 556
linuxfirefox
Re: What is with Containers.

How do Fedora/CentOS containers differ from Proxmox containers?

I work with a person who likes Debian-based Proxmox. He downloads CentOS 6 containers for servers, which are OpenVZ containers. Proxmox does support KVM. Proxmox also has a very good web interface, which I do not find with Fedora/CentOS virtualization (cockpit?).

I want to start exploring Fedora/CentOS container technology, but I admit the Proxmox approach for configuration management is appealing.
Reply With Quote
  #5  
Old 23rd June 2015, 06:35 PM
smr54 Online
Registered User
 
Join Date: Jan 2010
Posts: 7,119
linuxchrome
Re: What is with Containers.

I know very little about containers at this point, but as far as GUI apps, you can, for example, download a Debian docker instance that has Debian's version of chromium and run that on a CentOS-6.x GUI. I'm not quite sure if that answers one of your questions or not.

I just, in the particular case I used it (to watch Netflix on CentOS-6.x) had to give permissions on the host, that is, xhosts +127.0.0.1
Reply With Quote
  #6  
Old 23rd June 2015, 06:47 PM
smr54 Online
Registered User
 
Join Date: Jan 2010
Posts: 7,119
linuxchrome
Re: What is with Containers.

I'll link to my page, in case it gives any answers at all about the process of using docker. When I first read about it, I thought it was like a VirtualBox or at least a FreeBSD jail (or OpenVserver), but it's not--at least the way I used it, it's more like an application to be downloaded and then used.

http://srobb.net/rhnetflix.html
Reply With Quote
  #7  
Old 23rd June 2015, 09:12 PM
flyingdutchman Offline
Registered User
 
Join Date: Jan 2015
Location: Al Ain, UAE
Posts: 696
macosfirefox
Re: What is with Containers.

Containers are more like BSD Jails, than virtual machines.
__________________
--
Have fun!
http://www.aeronetworks.ca
Reply With Quote
  #8  
Old 23rd June 2015, 09:37 PM
stevea
Guest
 
Posts: n/a
linuxcroschrome
Re: What is with Containers.

Quote:
Originally Posted by upnort View Post
How do Fedora/CentOS containers differ from Proxmox containers?
On SUPERFICIAL investigation it appears that ProxMox is a higher level tool that integrates KVM (virtualization) and recently Containers; *might* be comparable might be Gnome boxes.

I won't speculate about G-boxes features nor the current release of lxc & top tools. I'm just never very excited about free/buy-upgrade tools like ProxMox.

Quote:
A Proxmox VE Subscription is an additional service program designed to help IT professionals and businesses to keep their Proxmox VE deployments up-to-date. It also provides access to professional support services: You get access to the Proxmox VE Enterprise repository with stable software updates and security enhancements, as well as to technical support and other services.
More silo propagation.
Reply With Quote
  #9  
Old 23rd June 2015, 10:40 PM
smr54 Online
Registered User
 
Join Date: Jan 2010
Posts: 7,119
linuxchrome
Re: What is with Containers.

LXC is more like a jail (I think---I know jails fairly well, but don't know LXC).


Docker, IF I UNDERSTAND CORRECTLY--and I may not, is somewhat different, more of an application or two in a sandbox.

A FreeBSD jail, for those who aren't familiar with it, can have separate instances all sharing the same kernel, memory, and so on. It's like a somewhat sophisticated chroot environment.
Reply With Quote
  #10  
Old 24th June 2015, 01:52 AM
stevea
Guest
 
Posts: n/a
linuxcroschrome
Re: What is with Containers.

Quote:
Originally Posted by smr54 View Post
LXC is more like a jail (I think---I know jails fairly well, but don't know LXC).
Yes, LXC has many similarities to BSD Jails (not much like chroot jails), the segregation of namespaces and assignments of resources via cgroups for LXC is nicely integrated w/ LXC and the separation seems a little more complete, the tools a little less developed.

Quote:
Docker, IF I UNDERSTAND CORRECTLY--and I may not, is somewhat different, more of an application or two in a sandbox.
Docker is mostly about making application & service images accessible w/in a LXC container in a portable and manageable way. That doesn't generally mean that the docker image is JUST an app - you'll likely have many dozens or hundreds of binary executables in there. That doesn't mean you can't install a Centos image and add packages - but that's not the main motivation.

chroot just isolates the file/mount namespace w/o isolating the process, network, ipc, users-ids & system-id (uts).
Reply With Quote
  #11  
Old 24th June 2015, 02:03 AM
upnort Offline
Registered User
 
Join Date: Oct 2014
Location: milky way
Posts: 556
linuxfedorafirefox
Re: What is with Containers.

Okay, suppose a person wants to install CentOS 7. Then create a container for an apache web server, a DNS server, a router, and a network monitor (oh, I don't know, say nagios). While I can see that KVM is overkill for each server, I have read LXC has its own security issues. So how does one proceed?

Second, how would this example provide benefits over just running all of those services on the same CentOS host?
Reply With Quote
  #12  
Old 24th June 2015, 10:58 PM
stevea
Guest
 
Posts: n/a
linuxcroschrome
Re: What is with Containers.

Quote:
Originally Posted by upnort View Post
Okay, suppose a person wants to install CentOS 7. Then create a container for an apache web server, a DNS server, a router, and a network monitor (oh, I don't know, say nagios). While I can see that KVM is overkill for each server, I have read LXC has its own security issues. So how does one proceed?
Yes, ppl have a very incorrect ideas about LXC & security. Altho' it creates namespace isolation it does not prevent privilege penetration of that isolation. This is very different frm KVM where the virtualization have no access to the host.

I got a hand-wavey explanation of how they use SELinux to isolate docker container from a RH friend a few years ago (whch got me interested in containers). Here is the detailed stuff from Dan Walsh (the RH SEL guru).
http://opensource.com/business/14/7/...curity-selinux
https://opensource.com/business/14/9...ity-for-docker

Really good vid presentation here,
http://blog.docker.com/2014/07/new-d...r-and-selinux/

Quote:
Second, how would this example provide benefits over just running all of those services on the same CentOS host?
It isolates the Docker containerized processes from the rest of the system. So if your apache server is exploited, it still has no access you your 'normal' filesystem or user passwds or such without also making it out of the container. Given the way they drop capabilities w/in the container, privilege escalation exploits are is quite limited. (that's DOcker, not plain LXC).

But my use case (for example) is that I want to run Fedora on the host, and yet have some stable Centos7 services for email, but I also need legacy printer support (that was dropped from CUPS ~F17) and ... currently I run such servces in VMs, which has a lot more overhead.
Reply With Quote
  #13  
Old 25th June 2015, 04:16 AM
upnort Offline
Registered User
 
Join Date: Oct 2014
Location: milky way
Posts: 556
linuxfedorafirefox
Re: What is with Containers.

Thanks for the reply. Most of the information is over my head. My own VM background is almost all VirtualBox (going back to the Innotek days) and almost all desktop VMs. I tinker a bit with CentOS 6 and 7 but not deep and I want to tinker some with Fedora Server.

I want to become more familiar with the whole VM system that comes with Fedora/CentOS. Probably not too bad to transition from VirtualBox to KVM using virt-manager, but my mind has not yet wrapped around the whole container concept.

My primary interest within this thread is the possibility of migrating Proxmox OpenVZ containers. The person I mentioned using Proxmox is using CentOS 6 in all of his servers, but Proxmox is Debian. He could use KVM for isolation but that is overkill compared to how he uses containers . He would move to a 100% CentOS solution but not without security and not without a nice web interface like Proxmox.

That last element is something I am looking for too -- a web interface. I want to build a NAS/Backup system for myself, but with a focus toward being able to later commoditize the installation and setup for non technical users. That means no command line and easy pointy-clicky remote configuration management. While there are a handful of such distros, I would prefer to just find a nice web interface that can be installed in a CentOS system. Webmin comes to mind but I keep looking for others. I have not looked at cockpit.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
lxc aka linux containers and fedora LaKing Guides & Solutions (Not For Questions) 10 4th April 2012 11:28 PM
Uses for empty Cd blank containers? tashirosgt Wibble 12 28th November 2007 08:11 PM
HOWTO: Protect Files Using Encrypted Containers The_JinJ Guides & Solutions (Not For Questions) 1 3rd September 2006 10:54 PM


Current GMT-time: 22:32 (Monday, 25-09-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat