Information Technology Reference
In-Depth Information
Although Containers are primarily intended for use in Solaris virtual environ-
ments (VEs), a framework exists to provide a translation layer from another oper-
ating system to the Oracle Solaris kernel. This framework has been used to enable
the migration of Solaris 8 and Solaris 9 environments into Solaris 8 Containers
and Solaris 9 Containers. These VEs operate like Solaris 8 and Solaris 9 systems,
respectively. Each of these non-native models is called a “brand.” A brand for Red
Hat Enterprise Linux 3 was also created.
Recently, the brand framework has been used to provide other functionality,
such as Oracle Solaris Cluster, in Containers. In that case, and in some others, the
brand marks the Container so that the kernel or other software handles it differ-
ently than a native Container. For those special Containers, a translation layer is
not necessary.
The primary purpose of Containers is to isolate workloads that are running on
one Oracle Solaris instance. Although this functionality is typically used when
consolidating workloads onto one system, placing a single workload in a single
Container on a system has a number of benefits. By design, the isolation provided
by Containers includes the following factors:
Each Container has its own objects: processes, file system mounts, network
interfaces, and System V IPC objects.
■
Processes in one Container are prevented from accessing objects in another
Container.
■
Processes in different Containers are prevented from directly communicat-
ing with each other, except for typical intersystem network communication.
■
A process in one Container cannot obtain any information about a process
running in a different Container—even confirmation of the existence of such
a process.
■
Each Container has its own namespace and can choose its own naming ser-
vices, mostly configured in
/etc
. For example, each Container has its own set
of users (via LDAP,
/etc/passwd
, and other means) and root user.
■
Architecturally, the model of one application per OS instance maps directly
to the model of one application per Container while reducing the number of
OS instances to manage.
■
In addition to the functional or security isolation constraints listed above,
Containers provide for resource isolation, as discussed in the next section.
Search WWH ::
Custom Search