{"id":2732,"date":"2024-05-17T14:53:02","date_gmt":"2024-05-17T14:53:02","guid":{"rendered":"https:\/\/blog.samarthya.me\/wps\/?p=2732"},"modified":"2024-05-17T15:00:25","modified_gmt":"2024-05-17T15:00:25","slug":"containers-a-brief-take","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2024\/05\/17\/containers-a-brief-take\/","title":{"rendered":"Containers: A brief take"},"content":{"rendered":"<div class=\"wp-block-image wp-duotone-grayscale\">\n<figure class=\"alignleft size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12-1024x1024.jpg\" alt=\"\" class=\"wp-image-2733\" srcset=\"https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12-1024x1024.jpg 1024w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12-150x150@2x.jpg 300w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12-150x150.jpg 150w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12.jpg 1536w, https:\/\/blog.samarthya.me\/wps\/wp-content\/uploads\/2024\/05\/dock12-300x300@2x.jpg 600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>The story of Linux containers is a tale of innovation and collaboration, with roots surprisingly deep in the history of the Linux operating system itself. <\/p>\n\n\n\n<p>Let&#8217;s explore this fascinating journey, starting with a simple tool called <code>chroot<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Chroot: A Stepping Stone<\/strong><\/h2>\n\n\n\n<p>Developed in the 1970s, <code>chroot<\/code> (ch-root) allows you to confine a process to a specific directory structure. This creates a limited environment, useful for security or running specific programs. While offering isolation, <code>chroot<\/code> has drawbacks. <\/p>\n\n\n\n<p>It doesn&#8217;t manage resources or provide true process isolation, making it a rudimentary solution.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Namespaces: A Vision of Isolation<\/strong><\/h2>\n\n\n\n<p>The concept of <code>namespaces<\/code> emerged in the late 1990s. Namespaces isolate processes from seeing system resources used by other processes. <\/p>\n\n\n\n<p>Imagine separate &#8220;universes&#8221; within the same kernel \u2013 processes in one namespace wouldn&#8217;t be aware of processes in another. This isolation paved the way for more <strong>advanced containerization<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><code>cgroups<\/code>: Resource Management Takes Center Stage<\/strong><\/h2>\n\n\n\n<p>Around 2006, Google introduced <code>cgroups<\/code> (control groups). <strong>Cgroups<\/strong> allow for resource allocation and control at the process level. You can define CPU, memory, and other resource limits for groups of processes, ensuring fairness and preventing runaway applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>LXC: The First Container Champion<\/strong><\/h2>\n\n\n\n<p>In 2008, Linux Containers (LXC) arrived, combining the power of namespaces and cgroups. <code>LXC<\/code> provided a complete container management solution, allowing users to create isolated Linux environments on a single kernel. LXC was a significant step forward, but it still relied on a full Linux environment within each container, making them relatively heavyweight.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Docker: Democratizing Containers<\/strong><\/h2>\n\n\n\n<p>Docker, launched in 2013, revolutionized the container landscape. Docker containers are lightweight and share the underlying Linux kernel, making them faster and more efficient. Docker also introduced a user-friendly interface and a registry for sharing container images, making containerization accessible to a wider audience. Docker&#8217;s open-source approach and focus on developer experience fueled a meteoric rise in container adoption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Podman: A Container Runtime for the Future<\/strong><\/h2>\n\n\n\n<p>While Docker dominates the container world, other players are emerging. Podman is a container runtime focused on security and compliance. It utilizes the same container engine (libcontainer) as Docker but offers a simpler and more lightweight solution. <code>Podman<\/code> is gaining traction, particularly in security-conscious environments.<\/p>\n\n\n\n<p>The evolution from Docker to OCI (Open Container Initiative) and Podman is a story of standardization, flexibility, and fostering a healthy container ecosystem. <\/p>\n\n\n\n<p>Let&#8217;s delve into the timeline:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Docker: The Rise of a Container Kingpin<\/h2>\n\n\n\n<p>Docker, launched in 2013, exploded in popularity with its user-friendly approach to containerization. It offered a complete solution \u2013 building, running, and managing containers \u2013 all wrapped in a convenient interface. Docker also popularized container registries, making it easier to share containerized applications.<\/p>\n\n\n\n<p>However, Docker&#8217;s dominance came with a caveat: vendor lock-in. With a tightly integrated ecosystem, users became reliant on Docker for every aspect of containerization. This lack of flexibility raised concerns about long-term sustainability and innovation.<\/p>\n\n\n\n<p>While Docker offered a user-friendly experience, it relied on a central daemon process that always ran in the background. This daemon required elevated privileges, increasing the system&#8217;s attack surface. Additionally, managing the daemon could be cumbersome for some users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enter OCI: Standardization for the Masses<\/h2>\n\n\n\n<p>In 2015, industry leaders recognized the need for open standards in container technology. This led to the formation of the <code>Open Container Initiative (OCI)<\/code>. <code>OCI<\/code> aimed to define open specifications for container <code>formats<\/code>, <code>runtimes<\/code>, and <code>images<\/code>.<\/p>\n\n\n\n<p>The arrival of OCI marked a turning point. By establishing standards, OCI ensured that container images could run on any OCI-compliant runtime, not just Docker. This fostered competition and innovation in the container runtime space.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Podman Emerges: A Lightweight Challenger<\/strong><\/h2>\n\n\n\n<p><code>Podman<\/code>, launched in 2017, is a prime example of OCI&#8217;s impact. Built on top of the same container engine (libcontainer) as Docker, Podman offers a more lightweight and security-focused alternative. It leverages OCI standards, allowing it to run Docker images seamlessly.<\/p>\n\n\n\n<p>Here&#8217;s why Podman gained traction:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security:<\/strong> <code>Podman<\/code> focuses on security by running as an unprivileged user, reducing the attack surface.<\/li>\n\n\n\n<li><strong>Simplicity:<\/strong> <code>Podman<\/code> offers a command-line interface similar to Docker but with a smaller footprint.<\/li>\n\n\n\n<li><strong>Flexibility:<\/strong> OCI compliance allows <code>Podman<\/code> to integrate with various container orchestration tools.<\/li>\n\n\n\n<li><strong>No Daemon Needed:<\/strong> Podman operates without a background daemon. This simplifies container management and reduces the attack surface as Podman itself runs with minimal privileges.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The story of Linux containers is a tale of innovation and collaboration, with roots surprisingly deep in the history of the Linux operating system itself. Let&#8217;s explore this fascinating journey, starting with a simple tool called chroot. Chroot: A Stepping Stone Developed in the 1970s, chroot (ch-root) allows you to confine a process to a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2734,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[34],"tags":[94,82,326],"class_list":["post-2732","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical","tag-container","tag-docker","tag-history"],"_links":{"self":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/2732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/comments?post=2732"}],"version-history":[{"count":2,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/2732\/revisions"}],"predecessor-version":[{"id":2737,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/2732\/revisions\/2737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media\/2734"}],"wp:attachment":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media?parent=2732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/categories?post=2732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/tags?post=2732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}