OS-level virtualization: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 08:16, 19 March 2023 edit Bumm13 (talk \| contribs) Administrators 79,725 edits m →Implementations: formatting fix ← Previous edit		Latest revision as of 18:31, 12 August 2025 edit undo 2601:2c7:4180:2ab1::dce (talk) No edit summary
(47 intermediate revisions by 26 users not shown)
Line 1: {{~~short~~Short description\|Operating system virtualization paradigm ~~allowing multiple isolated user space instances~~}} {{More citations needed\|date=November 2020}} '''OS-level virtualization''' is an [[operating system]] (OS) [[virtualization]] paradigm in which the [[Kernel (operating system)\|kernel]] allows the existence of multiple isolated [[user space and kernel space\|user space]] instances, ~~called~~including '''''containers''''' ([[LXC]], [[Solaris Containers~~\|Solaris~~]], ~~containers~~AIX [[Workload_Partitions\|WPARs]], HP-UX SRP Containers, [[Docker (software)\|Docker]], [[Podman]], [[Guix]]), '''''zones''''' ([[Solaris Containers~~\|Solaris containers~~]]), '''''virtual private servers''''' ([[OpenVZ]]), '''''partitions''''', '''''virtual environments''' (''' (VEs'''), '''''virtual kernels''''' ([[vkernel\|DragonFly BSD]]), orand '''''jails''''' ([[FreeBSD jail]] orand [[chroot ~~jail~~]]).<ref>{{~~cite~~Cite web \|url=https://www.networkworld.com/article/749098/cisco-subnet-software-containers-used-more-frequently-than-most-realize.html \|title=Software containers: Used more frequently than most realize \|last1=Hogg \|first1=Scott \|date=2014-05-26 \|website=[[Network World]] \|publisher=Network world, Inc. \|access-date=2015-07-09 \|quote=There are many other OS-level virtualization systems such as: Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), Solaris Containers, among others. }}</ref> Such instances may look like real computers from the point of view of programs running in them. A [[computer program]] running on an ordinary operating system can see all resources (connected devices, files and folders, [[Shared resource\|network shares]], CPU power, quantifiable hardware capabilities) of that computer. Programs running inside a [[Containerization (computing)\|container]] can only see the container's contents and devices assigned to the container. ~~\| url = http://www.networkworld.com/article/2226996/cisco-subnet/software-containers--used-more-frequently-than-most-realize.html~~ ~~\| title = Software Containers: Used More Frequently than Most Realize~~ ~~\| last1 = Hogg~~ ~~\| first1 = Scott~~ ~~\| date = 2014-05-26~~ ~~\| website = Network World~~ ~~\| publisher = Network World, Inc~~ ~~\| access-date = 2015-07-09~~ \| quote = There are many other OS-level virtualization systems such as: Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), Solaris Containers, among others. }}</ref> Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources (connected devices, files and folders, [[Shared resource\|network shares]], CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container. On [[Unix-like]] operating systems, this feature can be seen as an advanced implementation of the standard [[chroot]] mechanism, which changes the apparent root folder for the current running process and its children. In addition to isolation mechanisms, the kernel often provides [[Resource management (computing)\|resource-management]] features to limit the impact of one container's activities on other containers. Linux containers are all based on the virtualization, isolation, and resource management mechanisms provided by the [[Linux kernel]], notably [[Linux namespaces]] and [[cgroups]].<ref>{{cite web\|url=http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf\|title=Namespaces and Cgroups, the basis of Linux Containers\|first=Rosen\|last=Rami\|access-date=18 August 2016}}</ref> ~~The~~Although ~~term~~the word ''container''~~, while~~ most ~~popularly~~commonly ~~referring~~refers to OS-level virtualization ~~systems~~, it is sometimes ~~ambiguously~~ used to refer to fuller [[virtual machine]] ~~environments~~s operating in varying degrees of concert with the host OS,{{Citation ~~e.g.~~needed\|date=September 2024}} such as [[Microsoft~~\|Microsoft~~]]'s]] ''[[Hyper-V]] containers''.{{Citation needed\|date=September A2024}} ~~more~~For ~~historic~~an overview of [[virtualization]] ~~in general~~ since 1960, ~~can be found in the~~see [[Timeline of virtualization ~~development~~technologies]]. == Operation == On ordinary operating systems for personal computers, a computer program can see (even though it might not be able to access) all the system's resources. They include: #* Hardware capabilities that can be employed, such as the [[Central processing unit\|CPU]] and the network connection #* Data that can be read or written, such as files, folders and [[shared resource\|network shares]] #* Connected [[peripheral]]s it can interact with, such as [[webcam]], [[Printer (computing)\|printer]], scanner, or fax The operating system may be able to allow or deny access to such resources based on which program requests them and the [[User (computing)\|user account]] in the context ofin which it runs. The operating system may also hide those resources, so that when the computer program enumerates them, they do not appear in the enumeration results. Nevertheless, from a programming point of view, the computer program has interacted with those resources and the operating system has managed an act of interaction. With operating-system-virtualization, or containerization, it is possible to run programs within containers, to which only parts of these resources are allocated. A program expecting to see the whole computer, once run inside a container, can only see the allocated resources and believes them to be all that is available. Several containers can be created on each operating system, to each of which a subset of the computer's resources is allocated. Each container may contain any number of computer programs. These programs may run concurrently or separately, and may even interact with one another. Line 30 ⟶ 20: == Uses == Operating-system-level virtualization is commonly used in [[virtual machine\|virtual hosting]] environments, where it is useful for securely allocating finite hardware resources among a large number of mutually-distrusting users. System administrators may also use it for consolidating server hardware by moving services on separate hosts into containers on the one server. Other typical scenarios include separating several programs to separate containers for improved security, hardware independence, and added resource management features.<ref>{{Cite web \|date=2022-10-20 \|title=Secure Bottlerocket deployments on Amazon EKS with KubeArmor {{!}} Containers \|url=https://aws.amazon.com/blogs/containers/secure-bottlerocket-deployments-on-amazon-eks-with-kubearmor/ \|access-date=2023-06-20 \|website=aws.amazon.com \|language=en-US}}</ref> The improved security provided by the use of a chroot mechanism, however, is not perfect.<ref>{{~~cite~~Cite book \| title=Mastering FreeBSD and OpenBSD ~~Security~~security \| series=O'Reilly Series \| first1=Yanek \| last1=Korff \| first2=Paco \| last2=Hope \| first3=Bruce \| last3=Potter \| publisher=O'Reilly Media, Inc. \| year=2005 \| isbn=0596006268 \| page=59 \| url=https://books.google.com/books?id=gqKwaHmXp4YC&pg=PA59 }}</ref> Operating-system-level virtualization implementations capable of [[live migration]] can also be used for dynamic [[Load balancing (computing)\|load balancing]] of containers between nodes in a cluster. === Overhead === Line 38 ⟶ 28: === Flexibility === Operating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with [[Linux]], different distributions are fine, but other operating systems such as Windows cannot be hosted. Operating systems using variable input systematics are subject to limitations within the virtualized architecture. Adaptation methods including cloud-server relay analytics maintain the OS-level virtual environment within these applications.<ref>{{~~cite~~Cite ~~journal~~book \|last1=Huang \|first1=D. \|title=Proceedings of the 10th Parallel Data Storage Workshop \|chapter=Experiences in using OSos-level virtualization for block I/O \|~~journal=Proceedings of the 10th Parallel Data Storage Workshop \|date~~year=2015\|pages=13–18 \|url=https://www.pdsw.org/pdsw15/papers/p13-huang.pdf \|doi=10.1145/2834976.2834982 \|isbn=9781450340083 \|s2cid=3867190 }}</ref> [[Oracle Solaris ~~(operating system)~~\|Solaris]] partially overcomes the limitation described above with its [[branded zones]] feature, which provides the ability to run an environment within a container that emulates an older [[Solaris 8]] or 9 version in a Solaris 10 host. Linux branded zones (referred to as "lx" branded zones) are also available on [[x86]]-based Solaris systems, providing a complete Linux [[user space and kernel space\|user space]] and support for the execution of Linux applications; additionally, Solaris provides utilities needed to install [[Red Hat Enterprise Linux]] 3.x or [[CentOS]] 3.x [[Linux distribution]]s inside "lx" zones.<ref>{{~~cite~~Cite web \|url=http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/zones.intro-1/index.html \|title=System administration guide: Oracle Solaris containers-resource management and Oracle Solaris zones, Chapter 16: Introduction to Solaris zones \|year=2010 \|access-date=2014-09-02 \|publisher=[[Oracle Corporation]] }}</ref><ref>{{Cite web \|url=http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/gchhy/index.html \|title=System administration guide: Oracle Solaris containers-resource management and Oracle Solaris zones, Chapter 31: About branded zones and the Linux branded zone \|year=2010 \|access-date=2014-09-02 \|publisher=[[Oracle Corporation]] }}</ref> However, in 2010 Linux branded zones were removed from Solaris; in 2014 they were reintroduced in [[Illumos]], which is the [[open source]] Solaris fork, supporting 32-bit [[Linux kernel]]s.<ref>{{Cite web \|url=http://www.slideshare.net/bcantrill/illumos-lx \|title=The dream is alive! Running Linux containers on an illumos kernel \|date=2014-09-28 \|access-date=2014-10-10 \|author=Bryan Cantrill \|website=slideshare.net }}</ref> ~~\| url = http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/zones.intro-1/index.html~~ ~~\| title = System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 16: Introduction to Solaris Zones~~ ~~\| year = 2010 \| access-date = 2014-09-02~~ ~~\| publisher = [[Oracle Corporation]]~~ ~~}}</ref><ref>{{cite web~~ ~~\| url = http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/gchhy/index.html~~ ~~\| title = System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 31: About Branded Zones and the Linux Branded Zone~~ ~~\| year = 2010 \| access-date = 2014-09-02~~ ~~\| publisher = [[Oracle Corporation]]~~ }}</ref> However, in 2010 Linux branded zones were removed from Solaris; in 2014 they were reintroduced in [[Illumos]], which is the open source Solaris fork, supporting 32-bit [[Linux kernel]]s.<ref>{{cite web ~~\| url = http://www.slideshare.net/bcantrill/illumos-lx~~ ~~\| title = The dream is alive! Running Linux containers on an illumos kernel~~ ~~\| date = 2014-09-28 \| access-date = 2014-10-10~~ ~~\| author = Bryan Cantrill \| website = slideshare.net~~ ~~}}</ref>~~ === Storage === Line 71 ⟶ 46: \|- !File system isolation ![[Copy-on-write\|Copy on ~~Write~~write]] ![[Disk quota]]s !I/O rate limiting Line 85 ⟶ 60: \| Varies by operating system \| 1982 \| {{Partial}}{{Efn\|name="root-escape"\|Root user can easily escape from chroot. Chroot was never supposed to be used as a security mechanism.<ref>{{~~cite~~Cite web \|url=http://www.freebsd.org/doc/en/books/developers-handbook/secure-chroot.html\|title=3.5. Limiting your program's environment \|work=freebsd.org}}</ref>}} \| {{No}} \| {{No}} Line 97 ⟶ 72: \|- \|[[Docker (software)\|Docker]] \|[[Linux]],<ref>{{~~cite~~Cite web \|url=http://www.infoq.com/news/2014/03/docker_0_9\|title=Docker drops LXC as default execution environment \|work=InfoQ~~}}</ref>~~ ~~[[FreeBSD]],<ref>{{Cite web\|url=https://www.freebsdnews.com/2015/07/09/docker-freebsd/\|title=Docker comes to FreeBSD\|date=July 9, 2015\|website=FreeBSDNews.com~~}}</ref> [[Microsoft Windows\|Windows]] x64<ref>{{~~cite~~Cite web \|date=9 February 2023 \|title=Install Docker ~~Desktop~~desktop on Windows {{!}} Docker ~~Documentation~~documentation \|url=https://docs.docker.com/desktop/install/windows-install/ \|work=Docker }}</ref> [[macOS]]<ref>{{Cite web \|url=https://docs.docker.com/docker-for-mac/ \|title=Get started with Docker ~~Desktop~~desktop for Mac \|date=December 6, 2019 \|website=Docker ~~Documentation~~documentation}}</ref> \|{{open source\|[[Apache License\|Apache License 2.0]]}} \| 2013 \| {{Yes}} \| {{Yes}} \| {{Partial}}{{Efn\|name="docker-disk-quotas"\|For btrfs, overlay2, windowsfilter, and zfs storage drivers. ~~\| {{No\|Not directly}}~~ <ref>{{Cite web \|url=https://docs.docker.com/reference/cli/docker/container/run/#storage-opt\|title=docker container run - Set storage driver options per container (--storage-opt)\|website=docs.docker.com\|date=22 February 2024 }}</ref>}} \| {{Yes}} {{~~nowrap~~Nowrap\|(since 1.10)}} \| {{Yes}} \| {{Yes}} \| {{Yes}} \| {{Yes}} \| {{No\|Only in ~~Experimental~~experimental ~~Mode~~mode with [[CRIU]] [https://criu.org/Docker]}} \| {{Yes}} {{~~nowrap~~Nowrap\|(since 1.10)}} \|- \| [[Linux-VServer]]<br />(security context) \| [[Linux]], [[Windows Server 2016]] \|{{~~open~~Open source\|[[GNU General Public License\|GNU GPLv2]]}} \| 2001 \| {{Yes}} Line 122 ⟶ 98: \| {{Yes}} \| {{Partial}}{{Efn\|name="vserver-net"\|Networking is based on isolation, not virtualization.}} \| {{?Dunno}} \| {{No}} \| {{Partial\|Partial{{Efn\|name="linux-vserver-paper"\|A total of 14 user capabilities are considered safe within a container. The rest may cannot be granted to processes within that container without allowing that process to potentially interfere with things outside that container.<ref>{{Cite web \|url=http://linux-vserver.org/Paper#Secure_Capabilities\|title=Paper - Linux-VServer\| website=linux-vserver.org }}</ref>}}}} \|- \| [[lmctfy]] \| [[Linux]] \| {{open source\|[[Apache License\|Apache License 2.0]]}} \| 2013{{~~ndash~~Ndash}}2015 \| {{Yes}} \| {{Yes}} Line 137 ⟶ 113: \| {{Yes}} \| {{Partial}}{{Efn\|name="vserver-net"}} \| {{?Dunno}} \| {{No}} \| {{Partial\|Partial{{Efn\|name="linux-vserver-paper"}}}} Line 145 ⟶ 121: \|{{open source\|[[GNU General Public License\|GNU GPLv2]]}} \| 2008 \| {{Yes}}<ref name="lxc-1-0-security-features">{{~~cite~~Cite web \|last=Graber \|first=Stéphane \|title=LXC 1.0: Security features [6/10] \|url=https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/ \|access-date=12 February 2014 \|date=1 January 2014 \|quote= LXC now has support for user namespaces. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he'd find himself having the privileges of a regular user on the host. }}</ref> \| {{Yes}} \| {{Partial}}{{Efn\|name="lxc-dq"\|Disk quotas per container are possible when using separate partitions for each container with the help of [[Logical Volume Manager (Linux)\|LVM]], or when the underlying host filesystem is btrfs, in which case btrfs subvolumes are automatically used.}} Line 154 ⟶ 130: \| {{Yes}} \| {{Yes}} \| {{Yes}}<ref name="lxc-1-0-security-features" /> \|- \| [[Singularity (software)\|Singularity]] \| [[Linux]] \|{{~~open~~Open source\|[[BSD Licence]]}} \| 2015<ref>{{Cite web \|url=https://www.top500.org/news/sylabs-brings-singularity-containers-into-commercial-hpc/ \|title=Sylabs ~~Brings~~brings Singularity ~~Containers~~containers into ~~Commercial~~commercial HPC \| ~~TOP500~~Top ~~Supercomputer~~500 supercomputer sites ~~Sites~~\|website=www.top500.org }}</ref> \| {{Yes}}<ref>{{Cite web \|url=https://www.sylabs.io/2018/03/sif-containing-your-containers/ \|title=~~Redirecting…~~SIF — Containing your containers \|website=www.sylabs.io \|date=14 March 2018 }}</ref> \| {{Yes}} \| {{Yes}} Line 169 ⟶ 145: \| {{No}} \| {{No}} \| {{Yes}}<ref>{{Cite journal \|title=Singularity: Scientific containers for mobility of compute \|first1=Gregory M. \|last1=Kurtzer \|first2=Vanessa \|last2=Sochat \|first3=Michael W. \|last3=Bauer \|date=May 11, 2017 \|journal=PLOS ONE \|volume=12 \|issue=5 \|pages=e0177459 \|doi=10.1371/journal.pone.0177459 \|pmid=28494014 \|pmc=5426675 \|bibcode=2017PLoSO..1277459K \|doi-access=free}}</ref> \|- \|[[OpenVZ]] Line 176 ⟶ 152: \| 2005 \| {{Yes}} \| {{Yes}}<ref>{{~~cite~~Cite web \|last1=Bronnikov \|first1=Sergey \|title=Comparison on OpenVZ wiki page \|url=https://wiki.openvz.org/Comparison \|website=OpenVZ Wiki \|publisher=OpenVZ \|access-date=28 December 2018}}</ref> \| {{Yes}} \| {{Yes}}{{Efn\|name="ioprio"\|Available since Linux kernel 2.6.18-028stable021. Implementation is based on CFQ disk I/O scheduler, but it is a two-level schema, so I/O priority is not per-process, but rather per-container.<ref>{{~~cite~~Cite web \|url=http://wiki.openvz.org/I/O_priorities_for_VE \|title=I/O priorities for containers \|work=OpenVZ Virtuozzo Containers Wiki }}</ref>}} \| {{Yes}} \| {{Yes}} \| {{Yes}}{{Efn\|name="vn"\|Each container can have its own IP addresses, firewall rules, routing tables and so on. Three different networking schemes are possible: route-based, bridge-based, and assigning a real network device ([[Network interface controller\|NIC]]) to a container.}} \| {{Partial}}{{Efn\|name="docker-inside-openvz"\|Docker containers can run inside OpenVZ containers.<ref>{{~~cite~~Cite web \|url=https://openvz.org/Docker_inside_CT \|title=Docker inside CT }}</ref>}} \| {{Yes}} \| {{Yes\|Yes{{Efn\|name="openvz-wiki-container"\|Each container may have root access without possibly affecting other containers.<ref>{{~~cite~~Cite web \|url=http://wiki.openvz.org/Container\|title=Container \|work=OpenVZ Virtuozzo Containers Wiki }}</ref>}}}} \|- \|[[Virtuozzo]] \|[[Linux]], [[Microsoft Windows\|\|Windows]] \|{{Proprietary\|[[Trialware]]}} \| 2000<ref name="aspcomplete">{{Cite web \|url=http://www.paul.sladen.org/vserver/aspcomplete/2000-08-25/ve-0.4.2-for-2.4.0-test6.diff.gz \|title=Initial public prerelease of Virtuozzo (named ASPcomplete at that time)}}</ref> \| {{Yes}} \| {{Yes}} Line 197 ⟶ 173: \| {{Yes}} \| {{Yes}}{{Efn\|name="vn"}} \| {{Partial}}{{Efn\|name="vz-docker-inside-ct"\|Docker containers can run inside Virtuozzo containers.<ref>{{~~cite~~Cite web \|url=http://www.odin.com/news/pr/release/article/parallels-virtuozzo-now-provides-native-support-for-docker/ \|title=Parallels Virtuozzo ~~Now~~now ~~Provides~~provides ~~Native~~native ~~Support~~support for Docker}}</ref>}} \| {{Yes}} \| {{Yes}} Line 203 ⟶ 179: \|[[Solaris Containers]] (Zones) \|\|[[illumos]] ([[OpenSolaris]]),<br />[[Solaris (operating system)\|Solaris]] \|{{~~free~~Free\|[[CDDL]]}},<br />[[Proprietary software\|Proprietary]] \| 2004 \| {{Yes}} \| {{Yes}} (ZFS) \| {{Yes}} \| {{Partial}}{{Efn\|name="solaris-iolimit"\|Yes with illumos<ref>{{~~cite~~Cite web \|last=Pijewski \|first=Bill \|title=Our ZFS I/O Throttle \|url=~~http~~https://wdp.dtrace.org~~/blogs/wdp~~/2011/03/our-zfs-io-throttle/ \|date=March 1, 2011 \| website=wdp.dtrace.org}}</ref>}} \| {{Yes}} \| {{Yes}} \| {{Yes}}{{Efn\|name="crossbow"\|See [[~~OpenSolaris~~Solaris ~~Network~~network ~~Virtualization~~virtualization and ~~Resource~~resource ~~Control~~control]] for more details.}}<ref>[http://www.opensolaris.org/os/project/crossbow/faq/ Network ~~Virtualization~~virtualization and ~~Resource~~resource ~~Control~~control (Crossbow) FAQ] {{~~webarchive~~Webarchive\|url=https://web.archive.org/web/20080601182802/http://www.opensolaris.org/os/project/crossbow/faq/ \|date=2008-06-01 }}</ref><ref>{{Cite web \|url=https://docs.oracle.com/cd/~~E36784_01~~E37838_01/html/~~E36813~~E60989/index.html \|title=Managing ~~Network~~network ~~Virtualization~~virtualization and ~~Network~~network ~~Resources~~resources in Oracle® Solaris 11.24 \|website=docs.oracle.com }}</ref> \| {{Partial}}{{Efn\|name="solaris-nested"\|Only when top level is a KVM zone (illumos) or a kz zone (Oracle).}} \| {{Partial}}{{Efn\|name="kernelzone"\|Starting in Solaris 11.3 Beta, Solaris Kernel Zones may use live migration.}}{{Efn\|name="coldmig"\|Cold migration (shutdown-move-restart) is implemented.}} \| {{Yes\|Yes}}{{Efn\|name="solaris-E29024"\|Non-global zones are restricted so they may not affect other zones via a capability-limiting approach. The global zone may administer the non-global zones.<ref>Oracle Solaris 11.1 ~~Administration~~administration, Oracle Solaris ~~Zones~~zones, Oracle Solaris 10 ~~Zones~~zones and ~~Resource~~resource ~~Management~~management E29024.pdf, pp. 356–360. Available [http://www.oracle.com/technetwork/documentation/solaris-11-192991.html within an archive].</ref>}} \|- \|[[FreeBSD jail]] \|[[FreeBSD]], [[DragonFly BSD]] \|{{~~open~~Open source\|[[BSD License]]}} \| 2000<ref>{{~~cite~~Cite web \|url=http://www.cybera.ca/news-and-events/tech-radar/contain-your-enthusiasm-part-two-jails-zones-openvz-and-lxc/\|title=Contain your enthusiasm - Part ~~Two~~two: Jails, ~~Zones~~zones, OpenVZ, and LXC \|quote=Jails were first introduced in FreeBSD 4.0 in 2000 }}</ref> \| {{Yes}} \| {{Yes}} (ZFS) \| {{Yes}}{{Efn\|Check the "allow.quotas" option and the "Jails and ~~File~~file ~~Systems~~systems" section on the [http://www.freebsd.org/cgi/man.cgi?query%3Djail&sektion%3D8 FreeBSD jail man page] for details.}} \| {{Yes}} \| {{Yes}}<ref name="rctl">{{~~cite~~Cite web \|url=http://wiki.freebsd.org/Hierarchical_Resource_Limits \|title=~~Hierarchical_Resource_Limits~~Hierarchical resource limits - FreeBSD Wiki \|publisher=Wiki.freebsd.org \|date=2012-10-27 \|access-date=2014-01-15 }}</ref> \| {{Yes}} \| {{Yes}}<ref>{{~~cite~~Cite web\|url=http://static.usenix.org/publications/library/proceedings/usenix03/tech/freenix03/full_papers/zec/zec.pdf \|title=Implementing a ~~Clonable~~clonable ~~Network~~network ~~Stack~~stack in the FreeBSD ~~Kernel~~kernel \|publisher=usenix.org \|date=2003-06-13 \|first=Marko \|last=Zec }}</ref> \| {{Yes}} \| {{Partial}}<ref name="freebsdvps">{{~~cite~~Cite web \|url=http://www.7he.at/freebsd/vps/\|title=VPS for FreeBSD \|access-date=2016-02-20 }}</ref><ref name="freebsdvpsannounce">{{~~cite~~Cite web \|url=https://forums.freebsd.org/threads/34284/ \|title=[Announcement] VPS // OS ~~Virtualization~~virtualization // alpha release \|date=31 August 2012 \|access-date=2016-02-20 }}</ref> \| {{Yes}}<ref>{{~~cite~~Cite web \|url=http://www.freebsd.org/doc/en/books/developers-handbook/secure-chroot.html \|title=3.5. Limiting your program's environment \|publisher=Freebsd.org \|access-date=2014-01-15 }}</ref> \|- \|[[vkernel]] \|[[DragonFly BSD]] \|{{~~open~~Open source\|[[BSD Licence]]}} \| 2006<ref name=vkernel.h>{{~~cite~~Cite web \|author= Matthew Dillon \|author-link= Matthew Dillon \|~~date~~year= 2006 \|url= http://bxr.su/d/sys/sys/vkernel.h \|title= sys/vkernel.h \|website= BSD ~~Cross~~cross ~~Reference~~reference \|publisher= [[DragonFly BSD]] }}</ref> \| {{Yes}}<ref name=vkd.4/> \| {{Yes}}<ref name=vkd.4>{{~~cite~~Cite web \|url= http://mdoc.su/d/vkd.4 \|title= vkd(4) — Virtual ~~Kernel~~kernel ~~Disc~~disc \|publisher= [[DragonFly BSD]] \|quote= "treats the disk image as copy-on-write." }}</ref> \| {{N/A}} \| {{Dunno}} ~~\| ?~~ \| {{Yes}}<ref name=vkernel.7>{{~~cite~~Cite web \|author= Sascha Wildner \|date= 2007-01-08 \|url= http://bxr.su/d/share/man/man7/vkernel.7 \|title= vkernel, vcd, vkd, vke — virtual kernel architecture \|work= DragonFly ~~Miscellaneous~~miscellaneous ~~Information~~information ~~Manual~~manual \|publisher= [[DragonFly BSD]]}} {{~~cite~~Cite book \|section=vkernel, vcd, vkd, vke - virtual kernel architecture \|title=DragonFly ~~Miscellaneous~~miscellaneous ~~Information~~information ~~Manual~~manual \|url=http://mdoc.su/d/vkernel.7 }}</ref> \| {{Yes}}{{r\|vkernel.7}} \| {{Yes}}<ref name=vke.4>{{~~cite~~Cite web \|url= http://mdoc.su/d/vke.4 \|title=vkernel, vcd, vkd, vke~~(4)~~ —- ~~Virtual~~virtual ~~Kernel~~kernel ~~Ethernet~~architecture \|~~publisher~~work=DragonFly On-Line Manual Pages \|publisher=[[DragonFly BSD]] }}</ref> \| {{Dunno}} ~~\| ?~~ \| {{Dunno}} ~~\| ?~~ \| {{Yes}} \|- \|[[sysjail]] \|[[OpenBSD]], [[NetBSD]] \|{{~~open~~Open source\|[[BSD License]]}} \| 2006–2009 \| {{Yes}} Line 272 ⟶ 248: \| {{Yes}} \| {{Yes}} \| {{Yes}}{{Efn\|Available since TL 02.<ref>{{~~cite~~Cite web \|url=http://www-01.ibm.com/support/docview.wss?uid=isg1fixinfo109461\|title=IBM ~~Fix~~fix pack information for: WPAR ~~Network~~network ~~Isolation~~isolation - United States \|~~work~~website=ibm.com \|date=21 July 2011 }}</ref>}} \| {{No}} \| {{Yes}}<ref>{{Cite web \|url=http://www.ibm.com/developerworks/aix/library/au-aix61mobility/index.html \|title=Live ~~Application~~application ~~Mobility~~mobility in AIX 6.1 \|date=June 3, 2008 \|website=www.ibm.com}}</ref> \| {{~~dunno~~Dunno}} \|- \|[[iCore Virtual Accounts]] \|[[Windows XP]] \|{{Proprietary\|[[Freeware]]}} Line 288 ⟶ 264: \| {{No}} \| {{No}} \| {{?Dunno}} \| {{No}} \| {{~~dunno~~Dunno}} \|- \| [[Sandboxie]] \| [[Microsoft Windows\|\|Windows]] \| {{open source\|[[GNU General Public License\|GNU GPLv3]]}} \| 2004 Line 309 ⟶ 285: \| [[systemd-nspawn]] \| [[Linux]] \| {{~~open~~Open source\|[[GNU General Public License\|GNU LGPLv2.1+]]}} \| 2010 \| {{Yes}} \| {{Yes}} \| {{Yes}}<ref name="systemd-nspawn manual">{{Cite web \|url=https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--property= \|title=systemd-nspawn \|website=www.freedesktop.org }}</ref><ref name="Systemd service unit files parameters">{{Cite web \|url=https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/resource_management_guide/sec-modifying_control_groups \|title=2.3. Modifying ~~Control~~control ~~Groups~~groups Red Hat Enterprise Linux 7 \|website=Red Hat Customer ~~Portal~~portal}}</ref> \| {{Yes}}<ref name="systemd-nspawn manual"/><ref name="Systemd service unit files parameters"/> \| {{Yes}}<ref name="systemd-nspawn manual"/><ref name="Systemd service unit files parameters"/> \| {{Yes}}<ref name="systemd-nspawn manual"/><ref name="Systemd service unit files parameters"/> \| {{Yes}} \| {{?Dunno}} \| {{?Dunno}} \| {{Yes}} \|- \| [[Turbo (software)\|Turbo]] \| [[Microsoft Windows\|\|Windows]] \|{{Proprietary\|[[Freemium]]}} \| 2012 Line 337 ⟶ 313: \| {{Yes}} \|- \| [[Rocket (software)\|rkt]] (''rocket'') \| [[Linux]] \| {{~~open~~Open source\|[[Apache License\|Apache License 2.0]]}} \| 2014<ref>{{~~cite~~Cite web \|last1=Polvi \|first1=Alex \|title=CoreOS is building a container runtime, rkt \|url=https://coreos.com/blog/rocket.html \|archive-url=https://web.archive.org/web/20190401013449/https://coreos.com/blog/rocket.html \|archive-date=2019-04-01 \|website=CoreOS Blog \|access-date=12 March 2019}}</ref>–2018 \| {{Yes}} \| {{Yes}} Line 348 ⟶ 324: \| {{Yes}} \| {{Yes}} \| {{?Dunno}} \| {{?Dunno}} \| {{Yes}} \|} Linux containers not listed above include: [[LXC#LXD\|LXD]], an alternative wrapper around [[LXC]] developed by [[Canonical (company)\|Canonical]]<ref>{{~~cite~~Cite web \|access-date=2021-02-11 \|title=LXD \|url=https://linuxcontainers.org/lxd/ \|website=linuxcontainers.org }}</ref> [[Podman]],<ref>[https://indico.cern.ch/event/757415/contributions/3421994/attachments/1855302/3047064/Podman_Rootless_Containers.pdf Rootless containers with Podman and fuse-overlayfs], CERN ~~Workshop~~workshop, 2019-06-04</ref> aan advanced Kubernetes ready root-less secure drop-in replacement for Docker with support for multiple container image formats, including OCI and Docker images [[Charliecloud]], a set of container tools used on HPC systems<ref>{{~~cite~~Cite web \|url=https://~~hpc.github~~charliecloud.io/~~charliecloud~~latest/ \|access-date=422 ~~October~~June 2025 ~~2020~~\|title=Overview — Charliecloud ~~0.25 documentation~~}}</ref> * [[Kata Containers]] MicroVM Platform<ref>{{~~cite~~Cite web \|url=https://katacontainers.io/ \|title=Home \|website=katacontainers.io}}</ref> * Bottlerocket is a Linux-based open-source operating system that is purpose-built by [[Amazon Web Services]] for running containers on virtual machines or bare metal hosts<ref>{{~~cite~~Cite web \|url=https://aws.amazon.com/bottlerocket/ \|title=Bottlerocket ~~is a~~- Linux-based operating system purpose-built to run containers }}</ref> * [[~~CBL-Mariner~~Azure Linux]] is an open-source Linux distribution that is purpose-built by [[Microsoft Azure]] and similar to [[Fedora Linux#CoreOS\|Fedora CoreOS]] == See also == * [[Container Linux]]▼ * [[Orchestration (computing)\|Container orchestration]] * [[Flatpak]] package manager * [[cgroups\|Linux cgroups]]▼ * [[Linux namespaces]] ▲* [[cgroups\|Linux cgroups]] * [[Sandbox (software development)]]▼ ▲* [[Container Linux]] * [[Hypervisor]] * [[Portable application creators]] * [[Open Container Initiative]] ▲* [[Sandbox (software development)]] * [[Separation kernel]] * [[Serverless computing]] Line 384 ⟶ 361: == External links == * [https://www.kernelthread.com/publications/virtualization/ An introduction to ~~Virtualization~~virtualization] {{Webarchive\|url=https://web.archive.org/web/20191128152118/http://www.kernelthread.com/publications/virtualization \|date=2019-11-28 }} * [https://wiki.openvz.org/Introduction_to_virtualization A short intro to three different virtualization techniques] * [https://thijs.ai/papers/scheepers-virtualization-containerization.pdf Virtualization and ~~Containerization~~containerization of ~~Application~~application ~~Infrastructure~~infrastructure: A ~~Comparison~~comparison] {{Webarchive\|url=https://web.archive.org/web/20230315103310/https://thijs.ai/papers/scheepers-virtualization-containerization.pdf \|date=2023-03-15 }}, June 22, 2015, by Mathijs Jeroen Scheepers * [https://lwn.net/Articles/646054/ Containers and persistent data], [[LWN.net]], May 28, 2015, by Josh Berkus Line 392 ⟶ 369: {{DEFAULTSORT:Operating-system-level virtualization}} ~~[[Category:Virtualization]]~~ ~~[[Category:Operating system technology]]~~ [[Category:Operating system security]] [[Category:~~Linux containerization~~Virtualization]] [[Category:Linux]] [[Category:Linux containerization]] [[Category:Linux kernel features]]