@ -48,15 +48,15 @@ But more crucially they also allow to isolate across cgroups, giving the illusio
With those mechanisms (chroot, cgroups and namespaces) in place creating a container is conceptually relatively simple:
With those mechanisms (chroot, cgroups and namespaces) in place creating a container is conceptually relatively simple:
- First you populate the subtree that your container will have access too, ready to be chroot-ed in
- First you populate the subtree that your container will have access too, ready to be chroot'ed in
- Then you create namespaces for all you need to isolate (this usually includes at least PID, UID, mountpoints and cgroups)
- Then you create namespaces for all you need to isolate (this usually includes at least PID, UID, mountpoints and cgroups)
- Finally you run your containerized process within your namespaces, chroot'ed to it's subtree
- Finally you run your containerized process within your namespaces, chroot'ed to its subtree
## Conclusion
## Conclusion
{{<art-img"images/comic_end.png">}}
{{<art-img"images/comic_end.png">}}
In practice you don't need to make them from scratch, people already have made systems for managing containers with nicer user interfaces those include Docker, LXC and systemd-nspawn just to name a few, and there is probably one just right for your use-case.
In practice you don't need to make them from scratch, people already have made systems for managing containers with nicer user interfaces. Those include Docker, LXC and systemd-nspawn just to name a few, and there is probably one just right for your use-case.