Who else cares about "system containers"?


#1

I’ve been using containers since 2005 when I started using OpenVZ on CentOS 4.x. I still use OpenVZ Legacy on CentOS 6 and will continue to use it until EL6 goes EOL. Originally they weren’t called containers. The first name was Virtual Environment (VE) and later Virtual Private Server (VPS)… and finally OpenVZ settled on “container”.

What is a “system container”? It’s a pet in the pet vs. cattle discussion. A system container takes a while to create (sometimes upto a minute) and they have their own persistent filesystem. The filesystem might be a directory on the container host or even a disk image file similar to what most KVM users use. They run a full system, except for the kernel of course, which comes from the container host and is shared with all other containers on the system.

A system container has an init system (systemd), it’s own logging (journald)… it has user accounts… a minimal install with one or more services. It’s basically what you have to “orchestrate” with multiple application containers strung together with private interconnections and some hack to get external interactions. A system container has its own network stack and the ability to have a public IP address just like a VM.

Resource management is key with system containers so you don’t see all of the container host’s memory, CPUs, nor disk space. system containers should contain and it is ok for a user to have root inside of one without fearing for the host system. OpenVZ (and it’s commercial sibling Virtuozzo) has been using for almost a decade and a half by hosting providers in production on the public internet… with root users. Docker and podman, while they have their niche in microservices, seem like messy constructions of duct tape in comparison.

Canonical has been developing LXC and LXD for several years now but it is fairly Ubuntu-specific… although there has been some effort on a COPR repo for Fedora.

I’d really like to see podman be able to handle system containers too. I’ve heard some rumbles about that being possible at some point… but my question is, does anyone besides me care about that?

TYL, Scott Dowdle


#2

systemd-machined + .nspawn files support this pretty well, though you have to disable SELinux to use it due to some sepolicy issues. You can set CPU usage and RAM constraints, for instance, all powered by cgroups. Only con is that docs are sparse, though there are some online guides that help out.

You could also run podman as sudo and create a container with --init, then start it inside a cgroup to inherit its resource constraints. Not quite the same, but a bit closer.

That being said, I wouldn’t call podman/docker a “messy construction of duck tape in comparison”. The idea of being able to create and throw away containers is pretty interesting from a reproducibility perspective; it’s easy to start over if you screw something up or are restoring from backups.