Content deleted Content added
→Implementations: ad pronounciation of rkt Tags: Mobile edit Mobile web edit |
GKNishimoto (talk | contribs) No edit summary |
||
Line 2:
{{More citations needed|date=November 2020}}
'''OS-level virtualization''' is an [[operating system]] (OS) [[virtualization]] paradigm in which the [[Kernel (operating system)|kernel]] allows the existence of multiple isolated [[user space and kernel space|user space]] instances, called '''''containers''''' ([[LXC]], [[Solaris Containers|Solaris containers]], [[Docker (software)|Docker]], [[Podman]]), '''''zones''''' ([[Solaris Containers|Solaris containers]]), '''''virtual private servers''''' ([[OpenVZ]]), '''''partitions''''', '''''virtual environments''''' (VEs), '''''virtual kernels''''' ([[vkernel|DragonFly BSD]]), or '''''jails''''' ([[FreeBSD jail]] or [[chroot jail]]).<ref>{{Cite web |url=http://www.networkworld.com/article/2226996/cisco-subnet/software-containers--used-more-frequently-than-most-realize.html |title=Software containers: Used more frequently than most realize |last1=Hogg |first1=Scott |date=2014-05-26 |website=networkworld.com |publisher=Network world, Inc. |access-date=2015-07-09 |quote=There are many other OS-level virtualization systems such as: Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), Solaris Containers, among others. }}</ref> Such instances may look like real computers from the point of view of programs running in them. A [[computer program]] running on an ordinary operating system can see all resources (connected devices, files and folders, [[Shared resource|network shares]], CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside of a [[Containerization (computing)|container]] can only see the container's contents and devices assigned to the container.
On [[Unix-like]] operating systems, this feature can be seen as an advanced implementation of the standard [[chroot]] mechanism, which changes the apparent root folder for the current running process and its children. In addition to isolation mechanisms, the kernel often provides [[Resource management (computing)|resource-management]] features to limit the impact of one container's activities on other containers. Linux containers are all based on the virtualization, isolation, and resource management mechanisms provided by the [[Linux kernel]], notably [[Linux namespaces]] and [[cgroups]].<ref>{{cite web|url=http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf|title=Namespaces and Cgroups, the basis of Linux Containers|first=Rosen|last=Rami|access-date=18 August 2016}}</ref>
Line 22:
Operating-system-level virtualization is commonly used in [[virtual machine|virtual hosting]] environments, where it is useful for securely allocating finite hardware resources among a large number of mutually-distrusting users. System administrators may also use it for consolidating server hardware by moving services on separate hosts into containers on the one server.
Other typical scenarios include separating several programs to separate containers for improved security, hardware independence, and added resource management features.<ref>{{Cite web |date=2022-10-20 |title=Secure Bottlerocket deployments on Amazon EKS with KubeArmor {{!}} Containers |url=https://aws.amazon.com/blogs/containers/secure-bottlerocket-deployments-on-amazon-eks-with-kubearmor/ |access-date=2023-06-20 |website=aws.amazon.com |language=en-US}}</ref> The improved security provided by the use of a chroot mechanism, however, is not perfect.<ref>{{Cite book |title=Mastering FreeBSD and OpenBSD security |series=O'Reilly Series |first1=Yanek |last1=Korff |first2=Paco |last2=Hope |first3=Bruce |last3=Potter |publisher=O'Reilly Media, Inc. |year=2005 |isbn=0596006268 |page=59 |url=https://books.google.com/books?id=gqKwaHmXp4YC&pg=PA59 }}</ref> Operating-system-level virtualization implementations capable of [[live migration]] can also be used for dynamic [[Load balancing (computing)|load balancing]] of containers between nodes in a cluster.
=== Overhead ===
|