Juniper Employee , Juniper Employee Juniper Employee
Demystifying Containers and Minimalist Operating Systems
Jul 1, 2015

Demystifying Containers and Minimalist Operating Systems



Minimalist Operating Systems and Containers are in vogue these days. Thin being the underlying theme. There is a lot happening in the industry and it can be quite confusing. This blogs attempts to explain the various technologies and how the various dots connect.


OS level Virtualization has been around for a while in the form of Jails, Virtual private servers, Containers). The concept is to allow for multiple isolated user space instances on a single host, by providing a virtual environment with its own CPU, memory and network. To create isolation the Linux kernel offers constructs like cgroups, namespaces, SE Linux profiles, etc. Containers are isolated Linux systems that run on a host. Containers should not be confused with a Virtual Machine. Containers offer a lower overhead (foot print, boot times) when compared to VM's. From an isolation perspective VM's offer greater isolation than Containers.


Multiple execution environments exist in Linux to containerize applications. A few well known are


  • LxC

LxC provides user space tools, API’s and templates to manage containers. The interface might vary across distributions. Docker used LXC as the execution environment (prior to release 0.9)


  • libvirt

libvirt is a toolkit that provides virtualization capabilities to Linux. It also provides an interface to manage containers. The advantage of libvirt is a consistent interface for managing both VM's and Containers.


  • system-nspawn

system-nspawn provides container management tool that is simpler that libvirt. It is packaged along with system.


  • libcontainer

Provides a standard interface to manage a container and is OS agnostic. Multiple vendors have contributed to defining the libcontainer functionality (e.g. Parallels, Canonical). It is on its way to become an industry standard and is written natively in Go.




With the wide spread adoption of containers, the industry focus shifted towards automation of deploying applications inside containers. The sheer number of players in this space gives an illusion that container wars have begun! Well known players include Docker, Rocket, LxD, Spoonuim, Flockport, Pivotal Garden amongst others.


LxD is a container hypervisor. It is built on top of LxC to provide a new user experience. It provides a clean API and command line interface. It provides more security, live migration capabilities among other things. The project is driven by Canonical/Ubuntu.


Docker defines it self as "an open platform for building, shipping and running distributed applications". With release 0.9 Docker started using libcontainer as the execution environment. Microsoft recently announced Docket support for Azure. Docker containers have their own format.


Rocket is an alternative to Docker from the CoreOS. Its genesis was to address shortcomings of Docker namely, ease of use and security. It uses system-nspawn as the execution environment. It has a new container format and focuses on simplicity and security aspects that were lacking in Docker. Google, Red Hat and VMware back it.


Pivotal Garden is a container management from Pivotal. It is written in Go language and uses LxC as the execution environment. It has its own container format.


Users had to choose between Docker and Rocket. This gave rise to creating open industry standards around containers and runtime. Open Container Project is the result. It is a non-profit open governance structure under the aegis of Linux Foundation. It is backed by most of the industry (e.g. HP, Red Hat, IBM, Google, VM Ware, EMC) and of course Docker and Rocket. We can anticipate future versions of Docket and Rocket adhering to Open Container Project.


With cloud going mainstream, the need for lean OS is gaining ground. The primary drivers being lower foot print, better performance, lesser bugs and simplicity to maintain and deploy.


Project Atomic is an initiative to create minimal versions of RHEL, designed mainly to run containerized applications.


Snappy Ubuntu Core is an initiative from Cannonical to create a lean Ubuntu server. The focus is to have a single platform from cloud to device. Snappy has transactional upgrade and rollback semantics. It uses a new mechanism for application delivery and updates (i.e. doesn’t use apt-get or debs). Canonical is targeting Snappy for software defined CPE appliances, Open Source Robotics Foundation, White box switches, IoT, etc. It is available on a wide range of x86 and ARM platforms.


CoreOS is an Open source derivative of Google's Chrome OS. It is designed to simplify container deployment in clustered environments. Apart from the Operating system (CoreOS) it also has tools for distributed init (fleet), consensus & discovery (etcd), container runtime (rkt) and networking (flannel). It started Rocket containers to address Docker shortcomings. Kubernetes is tool from Google to manage a cluster of Linux containers as a single system. Core OS offers Tectonic which combines Kubernetes + CoreOS in an integrated package.


Photon is a lightweight (~300MB) Linux OS for cloud native applications from VMware. The plan is to open source it under GPL v2 license. It supports Docker, Rocket and Pivotal Container. It is intended to be run as a guest OS on the ESX hypervisor and not as a bare metal.


Nano Server is a purpose build Windows OS designed for cloud applications and containers. It is a refactored version of Windows server. Microsoft terms it the nucleus for modern apps and cloud. Microsoft and Docker announced partnership to manage Windows Server containers and Hyper-V containers from the Docker engine