https://en.wikipedia.org/wiki/OS-level_virtualization

https://en.wikipedia.org/wiki/OS-level_virtualizationhttps://en.wikipedia.org/wiki/OS-level_virtualization

OS-level virtualization is an operating system paradigm in which the kernel allows the existence of multiple isolated user space instances. Such instances, called containers (LXC, Solaris containers, Docker), zones (Solaris containers), virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels (DragonFly BSD), or jails (FreeBSD jail or chroot jail),[1] may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources (connected devices, files and folders, network shares, CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

On Unix-like operating systems, this feature can be seen as an advanced implementation of the standard chroot mechanism, which changes the apparent root folder for the current running process and its children. In addition to isolation mechanisms, the kernel often provides resource-management features to limit the impact of one container's activities on other containers.

The term container, while most popularly referring to OS-level virtualization systems, is sometimes ambiguously used to refer to fuller virtual machine environments operating in varying degrees of concert with the host OS, e.g. Microsoft's Hyper-V containers.

目录

Operation[edit]

Uses[edit]

Overhead[edit]

Flexibility[edit]

Storage[edit]

Implementations[edit]

See also[edit]

Notes[edit]

References[edit]

External links[edit]

---

Operation[edit]

On ordinary operating systems for personal computers, a computer program can see (even though it might not be able to access) all the system's resources. They include:

1. Hardware capabilities that can be employed, such as the CPU and the network connection
2. Data that can be read or written, such as files, folders and network shares
3. Connected peripherals it can interact with, such as webcam, printer, scanner, or fax

The operating system may be able to allow or deny access to such resources based on which program requests them and the user account in the context of which it runs. The operating system may also hide those resources, so that when the computer program enumerates them, they do not appear in the enumeration results. Nevertheless, from a programming point of view, the computer program has interacted with those resources and the operating system has managed an act of interaction.

With operating-system-virtualization, or containerization, it is possible to run programs within containers, to which only parts of these resources are allocated. A program expecting to see the whole computer, once run inside a container, can only see the allocated resources and believes them to be all that is available. Several containers can be created on each operating system, to each of which a subset of the computer's resources is allocated. Each container may contain any number of computer programs. These programs may run concurrently or separately, and may even interact with one another.

Containerization has similarities to application virtualization: In the latter, only one computer program is placed in an isolated container and the isolation applies to file system only.

Uses[edit]

Operating-system-level virtualization is commonly used in virtual hosting environments, where it is useful for securely allocating finite hardware resources among a large number of mutually-distrusting users. System administrators may also use it for consolidating server hardware by moving services on separate hosts into containers on the one server.

Other typical scenarios include separating several programs to separate containers for improved security, hardware independence, and added resource management features. The improved security provided by the use of a chroot mechanism, however, is nowhere near ironclad.[2] Operating-system-level virtualization implementations capable of live migration can also be used for dynamic load balancing of containers between nodes in a cluster.

Overhead[edit]

Operating-system-level virtualization usually imposes less overhead than full virtualization because programs in OS-level virtual partitions use the operating system's normal system call interface and do not need to be subjected to emulation or be run in an intermediate virtual machine, as is the case with full virtualization (such as VMware ESXi, QEMU, or Hyper-V) and paravirtualization (such as Xen or User-mode Linux). This form of virtualization also does not require hardware support for efficient performance.

Flexibility[edit]

Operating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other operating systems such as Windows cannot be hosted. Operating systems using variable input systematics are subject to limitations within the virtualized architecture. Adaptation methods including cloud-server relay analytics maintain the OS-level virtual environment within these applications.[3]

Solaris partially overcomes the limitation described above with its branded zones feature, which provides the ability to run an environment within a container that emulates an older Solaris 8 or 9 version in a Solaris 10 host. Linux branded zones (referred to as "lx" branded zones) are also available on x86-based Solaris systems, providing a complete Linux userspace and support for the execution of Linux applications; additionally, Solaris provides utilities needed to install Red Hat Enterprise Linux 3.x or CentOS 3.x Linux distributions inside "lx" zones.[4][5] However, in 2010 Linux branded zones were removed from Solaris; in 2014 they were reintroduced in Illumos, which is the open source Solaris fork, supporting 32-bit Linux kernels.[6]

Storage[edit]

Some implementations provide file-level copy-on-write (CoW) mechanisms. (Most commonly, a standard file system is shared between partitions, and those partitions that change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state.

Implementations[edit]

Mechanism	Operating system	License	Actively developed since or between	Features
				File system isolation	Copy on Write	Disk quotas	I/O rate limiting	Memory limits	CPU quotas	Network isolation	Nested virtualization	Partition checkpointing and live migration	Root privilege isolation
chroot	Most UNIX-like operating systems	Varies by operating system	1982	Partial[a]	No	No	No	No	No	No	Yes	No	No
Docker	Linux,[8] FreeBSD,[9] Windows x64 (Pro, Enterprise and Education)[10] macOS[11]	Apache License 2.0	2013	Yes	Yes	Not directly	Yes (since 1.10)	Yes	Yes	Yes	Yes	Only in Experimental Mode with CRIU [1]	Yes (since 1.10)
Linux-VServer (security context)	Linux, Windows Server 2016	GNU GPLv2	2001	Yes	Yes	Yes	Yes[b]	Yes	Yes	Partial[c]	?	No	Partial[d]
lmctfy	Linux	Apache License 2.0	2013–2015	Yes	Yes	Yes	Yes[b]	Yes	Yes	Partial[c]	?	No	Partial[d]
LXC	Linux	GNU GPLv2	2008	Yes[13]	Yes	Partial[e]	Partial[f]	Yes	Yes	Yes	Yes	Yes	Yes[13]
Singularity	Linux	BSD Licence	2015[14]	Yes[15]	Yes	Yes	No	No	No	No	No	No	Yes[16]
OpenVZ	Linux	GNU GPLv2	2005	Yes	Yes [17]	Yes	Yes[g]	Yes	Yes	Yes[h]	Partial[i]	Yes	Yes[j]
Virtuozzo	Linux, Windows	Trialware	2000[21]	Yes	Yes	Yes	Yes[k]	Yes	Yes	Yes[h]	Partial[l]	Yes	Yes
Solaris Containers (Zones)	illumos (OpenSolaris), Solaris	CDDL, Proprietary	2004	Yes	Yes (ZFS)	Yes	Partial[m]	Yes	Yes	Yes[n][24][25]	Partial[o]	Partial[p][q]	Yes[r]
FreeBSD jail	FreeBSD, DragonFly BSD	BSD License	2000[27]	Yes	Yes (ZFS)	Yes[s]	Yes	Yes[28]	Yes	Yes[29]	Yes	Partial[30][31]	Yes[32]
vkernel	DragonFly BSD	BSD Licence	2006[33]	Yes[34]	Yes[34]	N/A	?	Yes[35]	Yes[35]	Yes[36]	?	?	Yes
sysjail	OpenBSD, NetBSD	BSD License	2006–2009	Yes	No	No	No	No	No	Yes	No	No	?
WPARs	AIX	Commercial proprietary software	2007	Yes	No	Yes	Yes	Yes	Yes	Yes[t]	No	Yes[38]	?
iCore Virtual Accounts	Windows XP	Freeware	2008	Yes	No	Yes	No	No	No	No	?	No	?
Sandboxie	Windows	GNU GPLv3	2004	Yes	Yes	Partial	No	No	No	Partial	No	No	Yes
systemd-nspawn	Linux	GNU LGPLv2.1+	2010	Yes	Yes	Yes[39][40]	Yes[39][40]	Yes[39][40]	Yes[39][40]	Yes	?	?	Yes
Turbo	Windows	Freemium	2012	Yes	No	No	No	No	No	Yes	No	No	Yes
rkt	Linux	Apache License 2.0	2014[41]–2018	Yes	Yes	Yes	Yes	Yes	Yes	Yes	?	?	Yes

See also[edit]

• Container orchestration
• Linux namespaces
• cgroups
• Sandbox (software development)
• Container Linux
• Hypervisor
• Portable application creators
• Open Container Initiative
• Separation kernel
• Serverless computing
• Storage hypervisor
• Virtual private server (VPS)
• Virtual resource partitioning

Notes[edit]

1. ^ Root user can easily escape from chroot. Chroot was never supposed to be used as a security mechanism.[7]
2. ^ Jump up to:a b Utilizing the CFQ scheduler, there is a separate queue per guest.
3. ^ Jump up to:a b Networking is based on isolation, not virtualization.
4. ^ Jump up to:a b A total of 14 user capabilities are considered safe within a container. The rest may cannot be granted to processes within that container without allowing that process to potentially interfere with things outside that container.[12]
5. ^ Disk quotas per container are possible when using separate partitions for each container with the help of LVM, or when the underlying host filesystem is btrfs, in which case btrfs subvolumes are automatically used.
6. ^ I/O rate limiting is supported when using Btrfs.
7. ^ Available since Linux kernel 2.6.18-028stable021. Implementation is based on CFQ disk I/O scheduler, but it is a two-level schema, so I/O priority is not per-process, but rather per-container.[18]
8. ^ Jump up to:a b Each container can have its own IP addresses, firewall rules, routing tables and so on. Three different networking schemes are possible: route-based, bridge-based, and assigning a real network device (NIC) to a container.
9. ^ Docker containers can run inside OpenVZ containers.[19]
10. ^ Each container may have root access without possibly affecting other containers.[20]
11. ^ Available since version 4.0, January 2008.
12. ^ Docker containers can run inside Virtuozzo containers.[22]
13. ^ Yes with illumos[23]
14. ^ See OpenSolaris Network Virtualization and Resource Control for more details.
15. ^ Only when top level is a KVM zone (illumos) or a kz zone (Oracle).
16. ^ Starting in Solaris 11.3 Beta, Solaris Kernel Zones may use live migration.
17. ^ Cold migration (shutdown-move-restart) is implemented.
18. ^ Non-global zones are restricted so they may not affect other zones via a capability-limiting approach. The global zone may administer the non-global zones.[26]
19. ^ Check the "allow.quotas" option and the "Jails and File Systems" section on the FreeBSD jail man page for details.
20. ^ Available since TL 02.[37]

References[edit]

1. ^ Hogg, Scott (2014-05-26). "Software Containers: Used More Frequently than Most Realize". Network World. Network World, Inc. Retrieved 2015-07-09. There are many other OS-level virtualization systems such as: Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), Solaris Containers, among others.
2. ^ Korff, Yanek; Hope, Paco; Potter, Bruce (2005). Mastering FreeBSD and OpenBSD Security. O'Reilly Series. O'Reilly Media, Inc. p. 59. ISBN 0596006268.
3. ^ Huang, D (2015). "Experiences in using OS-level virtualization for block I/O". Proceedings of the 10th Parallel Data Storage Workshop: 13–18. doi:10.1145/2834976.2834982. ISBN 9781450340083. S2CID 3867190.
4. ^ "System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 16: Introduction to Solaris Zones". Oracle Corporation. 2010. Retrieved 2014-09-02.
5. ^ "System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 31: About Branded Zones and the Linux Branded Zone". Oracle Corporation. 2010. Retrieved 2014-09-02.
6. ^ Bryan Cantrill (2014-09-28). "The dream is alive! Running Linux containers on an illumos kernel". slideshare.net. Retrieved 2014-10-10.
7. ^ "3.5. Limiting your program's environment". freebsd.org.
8. ^ "Docker drops LXC as default execution environment". InfoQ.
9. ^ "Docker comes to FreeBSD". FreeBSDNews.com. July 9, 2015.
10. ^ "Get started with Docker for Windows". Docker. 10 September 2021.
11. ^ "Get started with Docker Desktop for Mac". Docker Documentation. December 6, 2019.
12. ^ "Paper - Linux-VServer". linux-vserver.org.
13. ^ Jump up to:a b Graber, Stéphane (1 January 2014). "LXC 1.0: Security features [6/10]". Retrieved 12 February 2014. LXC now has support for user namespaces. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host
14. ^ "Sylabs Brings Singularity Containers into Commercial HPC | TOP500 Supercomputer Sites". www.top500.org.
15. ^ "Redirecting…". www.sylabs.io.
16. ^ Kurtzer, Gregory M.; Sochat, Vanessa; Bauer, Michael W. (May 11, 2017). "Singularity: Scientific containers for mobility of compute". PLOS ONE. 12 (5): e0177459. Bibcode:2017PLoSO..1277459K. doi:10.1371/journal.pone.0177459. PMC 5426675. PMID 28494014.
17. ^ Bronnikov, Sergey. "Comparison on OpenVZ wiki page". OpenVZ Wiki. OpenVZ. Retrieved 28 December 2018.
18. ^ "I/O priorities for containers". OpenVZ Virtuozzo Containers Wiki.
19. ^ "Docker inside CT".
20. ^ "Container". OpenVZ Virtuozzo Containers Wiki.
21. ^ "Initial public prerelease of Virtuozzo (named ASPcomplete at that time)".
22. ^ "Parallels Virtuozzo Now Provides Native Support for Docker".
23. ^ Pijewski, Bill. "Our ZFS I/O Throttle".
24. ^ Network Virtualization and Resource Control (Crossbow) FAQ Archived 2008-06-01 at the Wayback Machine
25. ^ "Managing Network Virtualization and Network Resources in Oracle® Solaris 11.2". docs.oracle.com.
26. ^ Oracle Solaris 11.1 Administration, Oracle Solaris Zones, Oracle Solaris 10 Zones and Resource Management E29024.pdf, pp. 356–360. Available within an archive.
27. ^ "Contain your enthusiasm - Part Two: Jails, Zones, OpenVZ, and LXC". Jails were first introduced in FreeBSD 4.0 in 2000
28. ^ "Hierarchical_Resource_Limits - FreeBSD Wiki". Wiki.freebsd.org. 2012-10-27. Retrieved 2014-01-15.
29. ^ "Implementing a Clonable Network Stack in the FreeBSD Kernel" (PDF). usenix.org. 2003-06-13.
30. ^ "VPS for FreeBSD". Retrieved 2016-02-20.
31. ^ "[Announcement] VPS // OS Virtualization // alpha release". Retrieved 2016-02-20.
32. ^ "3.5. Limiting your program's environment". Freebsd.org. Retrieved 2014-01-15.
33. ^ Matthew Dillon (2006). "sys/vkernel.h". BSD Cross Reference. DragonFly BSD.
34. ^ Jump up to:a b "vkd(4) — Virtual Kernel Disc". DragonFly BSD. treats the disk image as copy-on-write.
35. ^ Jump up to:a b Sascha Wildner (2007-01-08). "vkernel, vcd, vkd, vke — virtual kernel architecture". DragonFly Miscellaneous Information Manual. DragonFly BSD. Lay summary.
36. ^ "vke(4) — Virtual Kernel Ethernet". DragonFly BSD.
37. ^ "IBM Fix pack information for: WPAR Network Isolation - United States". ibm.com.
38. ^ "Live Application Mobility in AIX 6.1". www.ibm.com. June 3, 2008.
39. ^ Jump up to:a b c d "systemd-nspawn". www.freedesktop.org.
40. ^ Jump up to:a b c d "2.3. Modifying Control Groups Red Hat Enterprise Linux 7". Red Hat Customer Portal.
41. ^ Polvi, Alex. "CoreOS is building a container runtime, rkt". CoreOS Blog. Retrieved 12 March 2019.

External links[edit]

• An introduction to Virtualization
• A short intro to three different virtualization techniques
• Virtualization and Containerization of Application Infrastructure: A Comparison, June 22, 2015, by Mathijs Jeroen Scheepers
• Containers and persistent data, LWN.net, May 28, 2015, by Josh Berkus

hide v t e Virtualization software
Comparison of platform virtualization software
Hardware (hypervisors)	Native Adeos CP/CMS Hyper-V KVM oVirt Red Hat Enterprise Virtualization LDoms / Oracle VM Server for SPARC Logical Partition (LPAR) LynxSecure PikeOS Proxmox VE QNX SIMMON VMware ESXi VMware vSphere vCloud VMware Infrastructure Xen Oracle VM Server for x86 XenServer XtratuM z/VM Hosted Specialized Basilisk II Bochs Cooperative Linux DOSBox DOSEMU PCem PikeOS SheepShaver SIMH Windows on Windows Virtual DOS machine Win4Lin Independent bhyve Microsoft Virtual Server Parallels Workstation (Extreme) Parallels Desktop for Mac Parallels Server for Mac PearPC QEMU VirtualBox Virtual Iron VMware Fusion VMware Server VMware Workstation (Player) Windows Virtual PC Tools Ganeti System Center Virtual Machine Manager Virtual Machine Manager
Operating system	OS containers FreeBSD jail iCore Virtual Accounts Linux-VServer LXC OpenVZ Solaris Containers Virtuozzo Workload Partitions Application containers Docker lmctfy rkt Virtual kernel architectures Rump kernel User-mode Linux vkernel Related kernel features BrandZ cgroups chroot namespaces seccomp Orchestration Amazon ECS Kubernetes OpenShift
Desktop	Citrix XenApp Citrix XenDesktop Remote Desktop Services VMware Horizon View
Application	Ceedo Citrix XenApp Dalvik InstallFree Microsoft App-V Remote Desktop Services Symantec Workspace Virtualization Turbo VMware ThinApp ZeroVM
Network	Distributed Overlay Virtual Ethernet (DOVE) Ethernet VPN (EVPN) NVGRE Open vSwitch Virtual security switch Virtual Extensible LAN (VXLAN)