Hacker News new | ask | show | jobs
by binarycrusader 4360 days ago
How is it unreasonable to compare the functionality of zones in 2014 to linux-vservers which are also under active development in 2014?

You're going to have to provide some actual data to support your assertion that linux-vserver was ever the "principal containerization solution".

LXC and OpenVZ do not have every advantage zones have; zones have other advantages because they're integrated with OS features that only Solaris (and derivative) operating systems have out-of-the-box -- such as ZFS. Which provides the ability to rapidly snapshot, clone and deploy containers. Zones also have other advantages that LXC and OpenVZ do not because of the networking stack features offered in Solaris.

The so-called "weight" of init and basic services is meaningless. But don't take my word for it, just download the Solaris 11.2 Beta and try it for yourself. Theorising about the potential "weight" of init and basic services (which are fairly minimal) is premature optimisation.

As I said before, Docker doesn't provide the full security isolation that Solaris Zones does; I'm sure it's the right style of solution for specific cases, but it is not an appropriate general solution for isolation or containerisation.
1 comments
evol262 4360 days ago
You're missing the point --

It's not unreasonable to compare the functionality of zones in 2014 with the functionality of vserver in 2014. But you compared the functionality of zones in 2014 with the functionality of vserver in 2005 (which hasn't changed much).

LXC is the preferred container solution and has been for years. I only referenced vserver because of your "Linux finally catching up to zones" comment, when Linux has been doing containerization as long as Solaris.

I'm also not going to "provide any data" about vserver. You can look at the release dates for vserver, openvz, and lxc yourself, as well as when lxc made mainline and how many VPS providers use openvz, versus how many distros even package vserver in 2014.

LXC made mainline for a reason. OpenVZ is pretty comparable in features. You're making a sideways argument now based on Linux not having ZFS, but that isn't the discussion. It's also true that Linux doesn't have Crossbow. It's not true that LXC and OpenVZ can't take advantage of openvswitch, which is pretty comparable. But none of that has anything to do with Docker. This is not "LXC vs Zones vs Jails".

Containers can also be backed by btrfs or lvm cnapshots, which aren't as feature-filled as ZFS, but you're reaching. Similarly, zones aren't as featureful as full-fledged VMs. But that's also not what we're talking about.

You're repeatedly missing what Docker actually does. Ok?

Zones -> LXC. LXC also has "weight" in that it starts init and basic services, and has to be managed.

Docker -> containerized chroot. Docker is not an analogue or competitor to zones.

However, Docker (through libcontainer) are already built on top of cgroups and can be managed through selinux. Security is not a valid complaint.

link
binarycrusader 4360 days ago
I am not repeatedly missing what Docker does; all I'm pointing out is that Docker is currently insufficient as a true isolation solution from a security and/or other perspectives.

Again, I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.

link
evol262 4360 days ago
>I am not repeatedly missing what Docker does

>I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.

Yes, you are. Docker is not currently and is not trying to be a "general container solution". Again, that's LXC.

But "X is currently insufficient as 'true isolation'" is inane. libcontainer is built on top of kernel cgroups. Docker can be wholly isolated with selinux:

http://www.mankier.com/8/docker_selinux

You don't know what Docker does, you don't know what it's built on, you don't know how cgroups work, and you're entirely ignoring selinux.

Please stop.

link
binarycrusader 4360 days ago
I'm done here. I agree to disagree. I still believe you are wrong and I did not claim Docker was a general container solution. You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security.
link
evol262 4359 days ago
> I still believe you are wrong and I did not claim Docker was a general container solution

>I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.

>Docker doesn't provide the full security isolation that Solaris Zones does; I'm sure it's the right style of solution for specific cases, but it is not an appropriate general solution for isolation or containerisation.

Tell yourself whatever you need to.

>You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security.

Which is why I also mentioned (and even linked you to the documentation for) docker_selinux, which is actually security instead of mere process isolation through namespaces and resource control (which are what cgroups do). Incidentally, this is the same way non-labeled zones work, but I guess I don't know anything about those.

Think whatever you want.

link