Login/Register
Chroot vs Docker
Asked Answered
Solved linuxdockerchroot
A

1

77

I'm trying to learn the basics about containers (Docker in this case). As far as I learn from the Docker doc and several readings, Docker basically provides isolation by running the container using runc (previously using LXC). Either ways it uses the same kernel as the host machine. Thus, the container image needs to be compatible with the host kernel. I find this very similar to what a chroot does. Could somebody explain to me any differences and/or advantages on using Docker rather than chroot? (besides the extras provided by Docker as packaging, docker-hub, and all the nice features provided by Docker)

Archangel answered 27/9, 2017 at 14:20 Comment(4)
The salient points (re: kernel namespace isolation) are already answered in no end of "how does Docker differ from X?" questions, even if we don't already have one for chroot specifically.Denson
I think having this specific question is good because chroot was the "first" isolation solution in Linux AFAIK. And it's the first question that comes in mind because chroot shares the host kernel also.Archangel
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask.Vertebrate
I actually found this question when considering how paths and packaging were different- as well as the implications on security- in respect to "Chroot vs. Docker". These are absolutely fundamental questions. So it seems a fair question that a developer might pose to themselves before requesting their infrastructure colleagues to provision hosts for them. Indeed, I felt the question was well written and worthy of an upvote.Zuber
S
83

Docker allows to isolate a process at multiple levels through namespaces:

  • mnt namespace provides a root filesystem (this one can be compared to chroot I guess)
  • pid namespace so the process only sees itself and its children
  • network namespace which allows the container to have its dedicated network stack
  • user namespace (quite new) which allows a non root user on a host to be mapped with the root user within the container
  • uts provides dedicated hostname
  • ipc provides dedicated shared memory

All of this adds more isolation than chroot provides

Sutler answered 27/9, 2017 at 14:28 Comment(2)
There are also cgroups (for cpu and memory limits), reduced capabilities, seccomp, selinux/apparmor, and ulimits. The filesystem is also layered, potentially read only, and allowed to be overlaid with volume mounts.Turbofan
Great answer Luc, but could be improved incorporating @Turbofan 's feedback into the answer itself where it won't be potentially missed.Zuber

© 2022 - 2024 — McMap. All rights reserved.