On Linux, containers are a product of combining namespaces (to isolate FS mounts, PIDs, etc), control groups (to affect scheduling / resource allocation), hardening/sandboxing techniques (to prevent / minimise damage from sandbox escapes), and possibly other pieces (like overlay networks, filesystems, etc).
At the kernel level, there is no notion of a container, so various projects pick up various pieces and stitch them together.
The hive mind thinks containers == Docker. Well, it does have a LOT of momentum behind it, but it also gets a lot of (partly truthful) criticism.
In no particular order:
- Features are plenty
- Bugs are plenty
- Tooling is quite good
- Containers are to be treated as ephemeral
- Everything is based on images
- Container images are a pretty decent packaging system
- The official images usually run very well
- Vast majority of the public images are of pretty low quality
- Short half-life, keeps you on an upgrade treadmill
- Apparently, for some people, too unstable for production
- Be always ready for sudden changes in direction
- Storage driver story is a mess
- AUFS dropped by mainline kernel
- OverlayFS 2
- ZFS doesn't look stable (from my own experiments)
- Doesn't solve all the problems
- Too many options to fill the gaps; all incompatible; e.g. clustering:
Aka Linux Containers.
Slightly more low-level tool. From what I've gathered:
- Some manual assembly required to get started
- Containers are supposed to be longer-lived, stateful; they resemble a regular Linux distro inside (with init & such)
- A library and a set of command line tools; there's libs for C, Go, Python, Ruby...
- Actual promises of stability
Builds on top of LXC. If you're not on Ubuntu, you're out of luck. I've tried to figure out how to install it from source on Debian Jessie, no luck so far.
TODO! Yet to try it.
FreeBSD jails are a first-class citizen on the OS; the tech has existed and was stable long before the container boom. There's also work underway to run Docker containers natively, through various Linux compatibility layers.
- Low-level tool provided by the OS
- Native to the platform
- Stable for years, strong isolation and security guarantees
- You can run whatever you'd normally run on a "real" FreeBSD system; thanks to Debian GNU/kFreeBSD efforts, it's possible to run a big part of a Debian system inside such a jail.
- You probably want a higher-level tool to manage the jails
On top of all of Docker's problems on Linux, on FreeBSD it brings a bag of its own issues: mainly the fact that it relies on the Linux compatibility subsystem (with its own share of bugs).
OpenBSD doesn't have any native "container" technology, but the OS has a very strong focus on security (and making security easy), which makes a lot of its native functionality usable for ad-hoc "containerization" of specific applications. Specifically: