Lesson 18: Application Isolation

Homepage Content Slides Video

Warning

This lesson is under construction. Learn from it at your own risk. If you have any feedback, please fill out our General Feedback Survey.

Overview

Application Isolation

The separation of one application stack from the rest of the computer

Virtual Machines

Anatomical Diagram of a VM

Virtual Machines

[vm] # ps aux
USER PID %CPU %MEM    VSZ   RSS TTY STAT START   TIME COMMAND
root   1  0.0  0.6 110564  3164 ?   Ss    2015  11:17 /lib/systemd/systemd --system --deserialize 15
root   2  0.0  0.0      0     0 ?   S     2015   0:00 [kthreadd]
root   3  0.0  0.0      0     0 ?   S     2015   3:55 [ksoftirqd/0]
root   5  0.0  0.0      0     0 ?   S<    2015   0:00 [kworker/0:0H]
[... 120+ more lines ...]

[host] # ps aux
USER  PID %CPU %MEM    VSZ   RSS TTY STAT START   TIME COMMAND
root    1  0.0  0.1 200328  5208 ?   Ss   Aug25   0:44 /sbin/init
root    2  0.0  0.0      0     0 ?   S    Aug25   0:00 [kthreadd]
root    3  0.0  0.0      0     0 ?   S    Aug25   0:05 [ksoftirqd/0]
root    5  0.0  0.0      0     0 ?   S<   Aug25   0:00 [kworker/0:0H]
[... 240+ more lines ...]

OS Emulation

Containers

[container] $ ps aux
PID   USER     TIME   COMMAND
1     root     0:00   sh
6     root     0:00   ps aux

Container Technologies

Containers vs VMs

Diagram of Containers vs Virtual Machines

Pros

Virtual Machines Containers
Complete process isolation Fast startup
'Battle Tested' Little overhead

Cons

Virtual Machines Containers
Slightly more overhead. Security concerns.
Slow startup. No cross-kernel emulation.
Cross-kernel emulation.  

Tools

Virtual Machines Containers
VirtualBox Docker
VMWare Rkt

Virtual Machines

VirtualBox

An Open Source VM Manager.

Widely used and supported on Linux, Mac, and Windows.

VMWare

A closed source VM Manager.

VMWare is a widely used and tends to have better performance than Virtual Box. While it can emulate Linux it does not work natively on Linux.

KVM

The Kernel-based Virtual Machine.

Linux's native infrastructure for handling Virtual Machines and emulation. Usually used in a larger emulation program, not alone.

Containers

Docker

The de facto CLI tool for creating and using containers.

Very popular and well integrated into other tools.

RKT
A competitor to Docker created by CoreOS. Approaches container management from a different angle which has it's advantages and disadvantages.
chroot
The oldschool way to use containers. Not a container in the modern sense, but achieves similar process isolation.
Jails
The BSD Unix form of containerization. Offers a level of secure isolation not really possible in Linux.

TODO

Further Reading

Docker

RKT