The Isolation Dilemma
In early 2013, virtual machines (VMs) are the standard for cloud hosting. However, running a complete guest operating system for each application is resource-heavy. Hypervisors consume massive RAM and disk space, and booting a VM takes minutes.
Linux Containers (LXC) offer an alternative: operating system level virtualization.
Key Takeaway: LXC shares the host OS kernel instead of virtualizing hardware, allowing containers to boot in seconds while consuming a fraction of the memory.
The Foundations of Container Isolation
LXC relies on core features of the Linux kernel to isolate processes:
- ◆Namespaces: Restrict what a process can *see* (PID, Network, Mounts, UTS, IPC, User).
- ◆Control Groups (cgroups): Restrict what a process can *use* (CPU, Memory, Disk I/O, Network bandwidth).
- ◆chroot: Isolates the root directory for a process.
| Isolation Primitive | Kernel System | Operational Function |
|---|---|---|
| PID Namespace | pid_namespaces | Restricts visibility of system processes. |
| NET Namespace | net_namespaces | Assigns private IP addresses and routing tables. |
| cgroups (Memory) | cgroups_memory | Enforces hard memory limits on containers. |
The dotCloud Prototype
The PaaS provider dotCloud is developing an open-source project named Docker (built on top of LXC) to standardize container orchestration:
# Conceptual container run command in early 2013
lxc-create -n my_web_app -f /etc/lxc/default.conf
lxc-start -n my_web_appBy wrapping LXC inside a programmatic engine, developers can bundle application runtimes and dependencies into a single image, laying the foundation for immutable deployments.