Start with a physical machine

Create software (hypervisor) responsible for isolating the guest OS inside the VM

VM resources (memory, disk, networking, etc.) are provided by the physical machine but visibility outside of the VM is limited

VM and physical machine share same instruction set, so must the host and guest

Guest OS can provide a different application binary interface (ABI) inside the VM

Lots of challenges in getting this to work because guest OS expects to have privileged hardware access

Start with a real operating system

Create software responsible for isolating guest software inside the container

Container resources (processes, files, network sockets, etc.) are provided by the real operating system but visibility outside the container is limited

Container and real OS share same kernel

So applications inside and outside the kernel must share the same ABI

Challenges is getting this to work are due to shared OS namespaces

False. Container shares the kernel with the host.

True. All long as both distributions use the same kernel, differences are confined to different binary tools and file locations.

False. Container process namespaces is isolated from the host.

Application inside the VM makes a system call

Trap to the host OS (or hypervisor)

Hand trap back to the guest OS

Application inside the container makes a system call

Trap to the OS

Remember all of the work we had to do to deprivilege the guest OS and deal with uncooperative machine architectures like x86?

OS virtualization does not require any of this: there is only one OS!

Process IDs

File names

User names:

Host name and IP address

CPU time

memory

disk or network bandwidth

Instead of starting path resolution at inode #2, start somewhere else.

Mount points: allows different namespaces to see different views of the file system

Process IDs: new processes are allocated IDs in their current namespace and all parent namespaces

Network: namespaces can have private IP addresses and their own routing tables, and can communicate with other namespaces through virtual interfaces

Devices: devices can be present or hidden in different namespaces

Processes and their children remain in the same cgroup

cgroups may it possible to control the resources allocated to a set of processes

Does /foo/bar exist in the top layer? If yes, return its contents.

Does /foo/bar exist in the next layer? If yes, return its contents.

Etc.

Does /foo/bar exist in the top layer? If yes, return its contents.

Access to /foo in the next layer is prohibited, so stop. (Even if /foo/bar exists.

Copy on write!

Only make modifications to the underlying file system when the container modifies files.

Speeds start up and reduces storage usage.