Container virtualization

from Wikipedia, the free encyclopedia
This article or the following section is not adequately provided with supporting documents ( e.g. individual evidence ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.

Container virtualization (or: Containering) is a method to operate several instances of an operating system (as so-called "guests") isolated from each other on a host system. In contrast to virtualization using a hypervisor , container virtualization has some restrictions in terms of the type of guests, but is considered to be particularly resource-saving. The Docker software became particularly popular in IT from 2013 , even if there were various other projects before that that implemented similar projects. A characteristic of containers is that guests use the kernel of the host operating system.

principle

On an ordinary operating system, any program can usually see all system resources. Amongst other things:

  • Usable hardware (components) such as CPU and network
  • Storage (read / write), folder structures and network storage
  • Peripherals such as keyboard, webcam, scanner, and printer

The operating system can restrict access to such resources depending on the user and context under which the process is running.

Containering can be used to manage which system resources are assigned to the processes in the container.

history

In 1979, the Unix developers introduced the chroot system call , which was used to isolate part of the file system from the rest, thus taking a first step towards virtualizing the operating system. For many years the approach was only used sporadically for the purposes of software tests and the protection of servers, especially among the derivatives of BSD- Unix, which further developed it under the name Jails . Even if there were activities with Linux developers in the late 1990s with User Mode Linux in order to start the operating system in the operating system, this approach only received more attention from experts. With the open source project OpenVZ and the product Virtuozzo based on it, software was widespread in the mid-2000s that allowed web hosts to operate many Linux websites on a single server. The Solaris and BSD operating systems each had their own implementations of the principle.

As a result of these developments, the developers of the Linux kernel had taken precautions to incorporate similar functions into their operating system. These include the namespaces, cgroups and capabilities. Many of these technologies are used under the term LXC , but still require a lot of detailed knowledge in the structure of operating systems and operating system distributions. That changed when, in 2013, the then dotCloud company introduced Docker , which made it easier for application developers to package their software in containers. As a result, a number of alternatives to Docker have emerged, especially for Linux, including rkt (pronounced Rocket) and the sub-project Nspawn by systemd . Some projects and providers also package container virtualization in products that contain additional management software, for example for orchestration or to offer platform as a service . Examples of this are the Kubernetes or OpenShift projects .

Realizations

Many projects and products implement the principle of container virtualization, but differ in the scope of which system resources (e.g. processes, file system, network interfaces) they virtualize and isolate from each other. Some realizations include:

  • chroot isolates part of the filesystem from the rest of it so that it appears to a process that the path passed as an argument is the root directory of the filesystem. However, the process is easy to bypass, which is why it is not suitable as real insulation.
  • UML (User Mode Linux) allows a Linux kernel to run as a userland process.
  • BSD Jails develops the idea of ​​chroot for the BSD derivatives of Unix.
  • Solaris Zones was the further development of Sun Microsystems for its Unix derivative Solaris.
  • OpenVZ is a significant addition to the Linux kernel with functions that nowadays roughly correspond to the functionality of LXC . However, the Linux kernel developers have rewritten and generalized a large part of the functions (namespaces, cgroups). The proprietary version of OpenVZ is as Virtuozzo from Parallels, Inc. marketed.
  • LXD is a Canonical product that builds on LXC, but adds many other functions, some of which come from hypervisor virtualization.
  • Docker is a container virtualization platform that uses many of the above techniques and adds user-friendly tools and services. This includes, for example, a description of images (Docker files) or a repository that manages such images. The manufacturer of the same name offers many other additions to the platform, some of them free of charge, others with costs.
  • systemd-nspawn is a sub-project of the systemd framework and was originally intended to test systemd yourself without restarting the computer each time. It uses the Linux-specific namespaces and cgroups.
  • rkt is an alternative implementation of the Docker approach from competitor CoreOS, which had criticized individual design decisions by Docker, which primarily affects security.
  • runC is an attempt to settle the looming schism between Docker and rkt. To this end, several manufacturers have founded the Open Container Initiative under the umbrella of the Linux Foundation . runC is only a runtime environment and does not contain many functions of other container virtualization platforms.
  • Podman is a container manager that can be executed without a daemon and is based on the concept of Kubernetes Pods. Poadman is a further development of Skopeo from Redhat

Host operating systems

Most of the implementations of container virtualizations come from the Unix operating system family . It became particularly popular in the context of Linux from 2013 through Docker . There are also implementations for the host operating systems Windows and MacOS , which, however, ultimately use a lightweight hypervisor in addition to container virtualization in order to restart a Linux kernel and then use it with Docker. There is also native container virtualization for operating systems other than Linux, but these have not yet become widely used.

criticism

Since all guests of the container virtualization use the same kernel, this must bring strong mechanisms with it to realize the isolation of the individual guests. With complex software such as a Linux kernel with several hundred system calls and various other ways of communicating with the kernel, this is not easy. Because of this, some experts question the effectiveness of the isolation. The last known incident of this type for Docker occurred in June 2014.

By isolating the file systems, each container uses its own version of system libraries. If vulnerabilities become known in them, such as the Heartbleed vulnerability in the SSL / TLS libraries OpenSSL, a system administrator must update all of their instances on a computer instead of just once per server.

Due to the variety of setting and configuration options, containers can easily be set up so that they open up unwanted access options. While privileged containers allow more functions to be carried out within the container, they weaken the isolation of the container from the host.

As a service for containers, repositories have been created that offer ready-made images that can be run directly on the container platform. Some of these artifacts are of dubious quality and may contain vulnerabilities due to the ignorance or malicious intent of the provider if they are not verified prior to downloading and operating.

Individual evidence

  1. The time stamp of the file /usr/sys/sys/sys4.c of the PDP-11 version of Unix V7 by Henry Spencer_v7 is dated May 7, 1979. Retrieved from http://unixarchive.cn-k.de/PDP -11 / Distributions / research / Henry_Spencer_v7 / v7.tar.gz
  2. Christoph Herrmann, Locked Up: BSD Jails as a Tool for System Security, iX 3/2002
  3. Jeff Dike. User mode linux. In 5th Annual Linux Showcase Conference, Oakland CA, 2001.
  4. Michael Kerrisk, Namespaces in operation, Linux Weekly News (LWN), retrieved from https://lwn.net/Articles/531114/
  5. https://jaxenter.de/docker/podman-container-daemonless-rootless-89349
  6. Docker vs. Podman https://www.netways.de/blog/2019/05/31/podman-ist-dem-docker-sein-tod/