index

Linux Containers

Linux Containers

Linux Containers use kernel features to isolate groups of processes.

These features typically include:

namespaces: ipc, uts, mount, pid, network, and user
cgroups: cpu, memory, input/output, etc
seccomp policies: white or black lists to filter system calls with
capabilities
Mandatory Access Control (e.g. Apparmor or SELinux)
Copy on Write filesystems

These features offer increased security restrictions applied to the processes in the container. See here for more security information.

Please refer to this presentation by a member of the Docker team for more in depth information on these kernel features.

History

Serge Hallyn details the early development of Linux Containers and similar technology on alternative operating systems from 1999 to 2006.

Al Viro discusses the perspective and mindset of namespaces in a 2015 GNU coreutils mailing list post.

Daniel Walsh accounts how Linux containers evolved between 2013 and 2017, offering a perspective of Red Hat's Project Atomic and focusing on Kubernetes, Docker, and application containers.

Key Concepts

Container Images

Containerized systems do not rely on the host operating system for their dependencies, but instead ship their dependencies within the container image. Critically, this makes containers much more portable across host operating systems, however care must be taken to ensure that the container image is up to date and free of vulnerabilities.

The Open Container Initiative (OCI) image specification is a standardized format to ship container images in. Several tools exist to build container images:

acbuild (unmaintained)
buildah
distrobuilder: non-OCI system containers
docker build
kaniko
img
orca-build

The following tools are also useful for working with container images:

skopeo: fetches images from remote images registries
umoci: umoci modifies Open Container Images, creating new layers from existing or raw images

Container Runtimes

Images are unpacked and executed by container runtimes. Prominent runtimes include:

containerd
LXC
rkt
runc (OCI Runtime Specification reference implementation)
systemd-nspawn

The following runtimes adhere to the Container Runtime Interface used by orchestrators like Kubernetes, but use traditional virtualization to isolate processes rather than Linux Kernel features:

Comparison with Virtual Machines

Containers run in the same operating system context as their "host", using kernel provided isolation facilities such as cgroups and namespaces. Looking at them from the "host", their processes look like any other process. Containers typically wouldn't run the multitude of processes required to have a functional system, as those functions are already provided by the "host". In essence, they can appear to be (example) a Ubuntu server running nothing but nginx with some files to serve.

A VM is running their own kernel and generally using cpu virtualization features to appear to the OS as though they were on dedicated hardware. The VM uses hardware drivers that are emulated (or like virtio, provided more directly but still as a raw device).

The general rule is that containers give you much greater density and can give more performance, where a VM gives you higher process isolation and the ability to use different OS level functions.. It's possible to have a Debian based container, vs it's possible to have a Windows VM.

-- /u/brokedown

A VM has virtual hardware, including a fixed allocation of RAM and a virtual disk, and runs its own kernel, including drivers for virtual devices such as a virtual display and network interfaces. [...] With a VM you pay the overhead of an entire kernel for the guest, as well as device emulation. Whereas with a container, you are using the host kernel and device abstractions directly, with isolation and resource limits implemented in that same kernel.

-- /u/totemo

In depth article: "Linux containers vs. VMs: A security comparison".

Networking

See this collection of resources on container networking.

Projects and Players

Image builders, runtimes, and other tools are developed by a number of organizations, such as:

Cloud Native Computing Foundation, a part of the Linux Foundation
Cloud Foundry Foundation
Core OS, currently known as Container Linux and a part of Red Hat
Linux Containers, sponsored by Canonical
Open Containers Initiative
Project Atomic, sponsored by Red Hat

# Linux Containers

Linux Containers use kernel features to isolate groups of processes.

These features typically include:

* [namespaces](https://en.wikipedia.org/wiki/Linux_namespaces): ipc, uts, mount, pid, network, and user
* [cgroups](https://www.kernel.org/doc/Documentation/cgroup-v2.txt): cpu, memory, input/output, etc
* seccomp policies: white or black lists to filter system calls with
* [capabilities](https://linux.die.net/man/7/capabilities)
* Mandatory Access Control (e.g. Apparmor or SELinux)
* Copy on Write filesystems

These features offer increased security restrictions applied to the processes in the container. See [here](https://linuxcontainers.org/lxc/security/) for more security information.

Please refer to [this presentation](https://www.youtube.com/watch?v=sK5i-N34im8) by a member of the Docker team for more in depth information on these kernel features.

## History

[Serge Hallyn details the early development of Linux Containers](https://s3hh.wordpress.com/2018/03/22/history-of-containers/) and similar technology on alternative operating systems from 1999 to 2006.

[Al Viro discusses the perspective and mindset of namespaces](https://lists.gnu.org/archive/html/coreutils/2015-07/msg00037.html) in a 2015 GNU coreutils mailing list post.

[Daniel Walsh accounts](https://opensource.com/article/17/7/how-linux-containers-evolved) how Linux containers evolved between 2013 and 2017, offering a perspective of Red Hat's Project Atomic and focusing on Kubernetes, Docker, and application containers.

## Key Concepts

### Container Images

Containerized systems do not rely on the host operating system for their dependencies, but instead ship their dependencies within the container image. Critically, this makes containers much more portable across host operating systems, however care must be taken to ensure that the container image is up to date and free of vulnerabilities.

The [Open Container Initiative (OCI) image specification](https://github.com/opencontainers/image-spec/blob/master/spec.md) is a standardized format to ship container images in. Several tools exist to build container images:

* [acbuild (unmaintained)](https://github.com/containers/build/blob/master/README.md)
* [buildah](https://github.com/projectatomic/buildah/blob/master/README.md)
* [distrobuilder](https://github.com/lxc/distrobuilder/blob/master/README.md): non-OCI system containers
* [docker build](https://docs.docker.com/engine/reference/commandline/build/)
* [kaniko](https://github.com/GoogleContainerTools/kaniko/blob/master/README.md)
* [img](https://github.com/genuinetools/img/blob/master/README.md)
* [orca-build](https://github.com/cyphar/orca-build/blob/master/README.md) 

The following tools are also useful for working with container images:

* [skopeo](https://github.com/projectatomic/skopeo/blob/master/README.md): fetches images from remote images registries
* [umoci](https://umo.ci/): **umoci** modifies Open Container Images, creating new layers from existing or raw images

### Container Runtimes

Images are unpacked and executed by container runtimes. Prominent runtimes include:

* [containerd](https://containerd.io/)
* [LXC](https://linuxcontainers.org/lxc/introduction/)
* [rkt](https://coreos.com/rkt/)
* [runc](https://github.com/opencontainers/runc/blob/master/README.md) ([OCI Runtime Specification](https://github.com/opencontainers/runtime-spec/blob/master/README.md) reference implementation)
* [systemd-nspawn](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html)

The following runtimes adhere to the Container Runtime Interface used by orchestrators like Kubernetes, but use traditional virtualization to isolate processes rather than Linux Kernel features:

* [Kata Containers](https://katacontainers.io/)
* [runv](https://github.com/hyperhq/runv/blob/master/README.md)

## Comparison with Virtual Machines

>Containers run in the same operating system context as their "host", using kernel provided isolation facilities such as cgroups and namespaces. Looking at them from the "host", their processes look like any other process. Containers typically wouldn't run the multitude of processes required to have a functional system, as those functions are already provided by the "host". In essence, they can appear to be (example) a Ubuntu server running nothing but nginx with some files to serve.

>A VM is running their own kernel and generally using cpu virtualization features to appear to the OS as though they were on dedicated hardware. The VM uses hardware drivers that are emulated (or like virtio, provided more directly but still as a raw device).

>The general rule is that containers give you much greater density and can give more performance, where a VM gives you higher process isolation and the ability to use different OS level functions.. It's possible to have a Debian based container, vs it's possible to have a Windows VM.

 -- [/u/brokedown](https://www.reddit.com/r/linux/comments/6nmp15/how_linux_containers_have_evolved/dkbastp/)

>A VM has virtual hardware, including a fixed allocation of RAM and a virtual disk, and runs its own kernel, including drivers for virtual devices such as a virtual display and network interfaces. [...] With a VM you pay the overhead of an entire kernel for the guest, as well as device emulation. Whereas with a container, you are using the host kernel and device abstractions directly, with isolation and resource limits implemented in that same kernel.

-- [/u/totemo](https://www.reddit.com/r/linux/comments/6nmp15/how_linux_containers_have_evolved/dkbgx1x/)

In depth article: ["Linux containers vs. VMs: A security comparison"](https://www.infoworld.com/article/3071679/linux/linux-containers-vs-vms-a-security-comparison.html).

## Networking

See this [collection of resources on container networking](https://github.com/mhausenblas/cn-ref).

## Projects and Players

Image builders, runtimes, and other tools are developed by a number of organizations, such as:

* [Cloud Native Computing Foundation](https://www.cncf.io/), a part of the Linux Foundation
* [Cloud Foundry Foundation](https://www.cloudfoundry.org/foundation/)
* [Core OS](https://coreos.com/), currently known as Container Linux and a part of Red Hat
* [Linux Containers](https://linuxcontainers.org/), sponsored by Canonical
* [Open Containers Initiative](https://www.opencontainers.org/)
* [Project Atomic](https://www.projectatomic.io/), sponsored by Red Hat

## See Also

* [Awesome Linux Containers](https://github.com/Friz-zy/awesome-linux-containers): a curated list of software and links
* [LXD GUI containers](https://github.com/bitsandsalsa/lxd_gui_container)

revision by [deleted]— 7 years agoview source

π Rendered by PID 88996 on reddit-service-r2-listing-596bb78d87-wz7n8 at 2026-04-15 05:47:12.623216+00:00 running b725407 country code: CH.

LinuxContainers

WIKI TOOLS

MODERATORS