Linux Containers

Until recently I was a relatively satisfied Linux VServer user. But when I upgraded to Debian 6 about half a year ago, OpenAFS aklog stopped to work inside the guests. There were always problems with running OpenAFS clients inside VServer guests but this time I couldn’t find any workaround. I had to solve the problem and I had to act quickly.

As VServer didn’t look useable anymore I decided to move to Linux Containers. It’s a similar virtualization approach, implemented in a different way. I can’t provide any expert comparison of the two solutions as I’m just a home user. Here are my simple observations.

Linux VServer is generally more mature product (no wonder, it has been around for some years). It provides better management tools, including things like vserver-stat (summary information about running guests and resources consumed by them), vserver stop (safe stopping of a guest), vserver enter (a way to enter a guest directly from the host) or vapt-get (batch invocation of apt-get over all running guests). It defines a finer set of capabilities, e.g. you don’t have to set the big CAP_SYS_ADMIN permission just to be able to use FUSE. And it contains hashify with the copy-on-write feature to save main memory, memory cache and disk space.

Linux Containers allow me to run some things in the containers that I’ve never managed to get running inside VServer guests (new OpenAFS aklog, OpenVPN). They provide more sophisticated device isolation (mknod /dev/null possible without permitting too much) and network isolation (each container can have its own routing and filtering rules). Configuration is easier. And they are included in the official kernel source. On the other hand they lack some important features provided by Linux VServer and I experienced several less or more annoying problems (but none of them preventing me from using Linux Containers completely). The implementation may improve rapidly, so it can be better now.

Both the projects lack good documentation.

There is some lesson with Linux VServer and Linux Containers. AFAIK, Linux developers have originally rejected the Linux VServer idea as unnecessary for several years. Apparently during the time they changed their mind and Linux Containers are here. The result of the lost years is that we haven’t got a complete and well working solution yet. Well, we know that progress is sometimes constrained by our mental barriers.

Leave a comment

Your email address will not be published. Required fields are marked *