New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I use systemd-nspawn (with machinectl) and it works fine. Also, if you need just an isolation, you shouldn't really use containers. You can use other existing things like using namespaces and seccomp configured with systemd units.
Why so? because it would be lighter or because it is more secure / isolated?
Thanks for your contribution!
@2bb3, because if you have everything up and running on your host machine, container will only add overhead (very small) and headaches with base image updates. Containers which use overlay on top of base system (=docker) are updated infrequently and the base system could contain unpatched vulnerabilities. Anyway, if you're fine with the version and configuration options of the software on a host machine and just want to isolate it, you better use native isolation techniques and not containers.
Actually, I made a post about isolation with systemd, but it's in Russian. Should I translate it as a tutorial here?
Yes, please. It's good that people learn they can do amazing things with existing technologies without any shiny toolkits like Docker
+1 for tutorial.
Came across these slides from one of the original dotCloud developers. Gives a quick background of namespaces and cgroups, and runs through some of the containerization options.
Thanks for your answer, and yeah I'd like to read it! Any resources on that topic you'd recommend? Is this kind of isolation really strong?
Neither, rkt