[gcb0]

So, if I understood that correctly, it's just a virtual box image of ubuntu or debian that you run headlessly in a linux container (via docker) and then run a Xserver on your actual machine OS and connect to it via SSH with Xforward?

how is this any better than simply running virtualbox on your OS to begin with?

[rogaha]

Exactly. It's better because you can build that image anywhere where there is docker installed and it can be easily moved/upgraded and ready to run. But if you think only locally, then there is no much difference, despite that docker lighter and faster.

[yebyen]

Further, the VirtualBox instructions are only for Windows users, to get Linux installed (which is a requirement of Docker). You don't need VirtualBox at all. But if you don't have Linux, you can try this with VBox (it's a virtualization tech that nests safely inside of vbox... unlike say, virtualbox inside of virtualbox.)

[gcb0]

if i already have linux installed i can carry fat binaries and a kernel for chroot'ing an environment. all in a tar file... I think this is just new way kids does common things of yesterday. or maybe linux containers kicks chroot a in performance?

[yebyen]

to me it's not about performance... it's about rigorous isolation. LXC is like FreeBSD jails, though there are things you can do with the cgroup namespace stuff now that are impossible using jails... eg. disk io accounting.

in a jail, one user who attempts to monopolize disk io will succeed. in a cgroup, he can be restricted to exactly 10% of available i/o bandwidth, so you can guarantee that he doesn't starve the other containers.

there are also easy and documented ways to break out of a chroot if you are able to obtain root in the chroot. those holes are plugged by lxc and docker. Most notably, access to devices can be restricted.

I don't know what you mean by "carry fat binaries and a kernel for chrooting an environment" -- you don't need a separate kernel for chroot, any more than you need a separate kernel for docker. There's no advantage to static linked binaries (fat binaries?) when you can put the storage of your containers in a zpool or btrfs with deduplification. Same as your chroots.

Try out docker. Read about cgroups. I first gave LXC a try a few years ago and I was really sad about the extent of support for creating guests and keeping them properly isolated. It was really not friendly at all. You basically had to commit to using kernel patches that made your system pretty unusable as a desktop. (Was that xen dom0 or lxc?)

Everyone was saying, "Ohh, LXC is no better than a chroot." It's insecure, easy to break yourself out. Not so much anymore, with the current state of Docker you don't even have to know all the advances in cgroup and namespaces.

It's worth a look. Really, go check it out.

[darkarmani]

And for Mac users.