[davidstrauss]

Hi, I'm the author of the article.

FreeBSD Jails lack the same fine-grained isolation choices versus the base system that the Linux kernel exposes through namespaces and cgroups.

That's not to say that Jails don't capture most of the value I argue containers have, but they're a different generation of design.

Also, I wrote the article for the Linux Journal, which obviously affects the solutions explored.

[oijaf888]

What can cgroups and namespaces do that rctl and capsicum can't? I assume with namespaces you can have multiple processes running with the same PID?

[davidstrauss]

RCTL can enforce specific limits, which is good if you either want to divide resources such that there can't be (or is unlikely to be) contention.

cgroups offers hard limits for some things, like memory, but it mostly opts for a model using "shares" that determine the fractional access to resources versus other cgroups holding shares against the same resource.

For example, assume there's CPU contention. cgroup A has 10 CPU shares and cgroup B has 90. Processes in cgroup A will get 90% of the CPU time, but it will not starve cgroup A because cgroup A will still get 10%.

This shares-based model also has a major effect when there isn't contention. Shares-based resources are burstable. Even cgroup A (with 10 CPU shares) can use 100% of CPU if nothing else needs it.

This "burstable" nature can be good or bad. It's good in the sense that most users will probably get more CPU than their shares guarantee most of the time. It's bad because users can start expecting more than their shares guarantee and get a nasty surprise when resources get under contention.

It's time to drop some analogies.

cgroups are very much like a highway with an HOV lane (or more): anyone can go very fast when there's no contention. But, during rush hour, lanes get distributed as "shares" of the road to the HOV and non-HOV groups. Neither the HOV nor the non-HOV drivers get starved for road access (though responsiveness may not be equivalent, by design).

Traditional "nice" is like emergency vehicle traffic. An ambulance every now and then works fine as "-20 nice" traffic. But, if you filled the road with ambulances, it would starve normal traffic of roadway access.

RCTL is sort of like a person riding reserved right-of-way public transit. From the time the person hops on the train at point A to when they get off at point B, it will be the same duration any time of day. They don't get to go faster during low-traffic times, but they also don't have to worry about a significantly worse experience during rush hour.

Capsicum seems focused on intra-application isolation; I'm not sure how to compare it to other OS-level containers.