Re: [Publicity] Docker Open Source Container Virtualization on the Rise

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Wed, 2014-02-12 at 12:29 +0400, Glauber Costa wrote:

> - The performance thing with containers is *not* true. They use
> cgroups, which are expensive.

I think knew this in my subconcious (having read about it on LWN etc way
back when) but hadn't really dragged it up to my forebrain ;-), this is
a very interesting point.

>  As much as I have succeeded to make that cost go down,
> it is still expensive. We are doing benchmarks against Linux as a
> guest, maybe we should start looking at doing benchmarks against a
> container environment?

It would certainly be interesting to know the answer IMHO. 

> - I am following the follow up of my work closely (kmemcg shrinking),
> and this is not yet complete in Linux. What it means is that it is
> still impossible
> to properly control kernel memory used by each container. It is still
> trivial for a malicious containers to destroy everything. There are
> many other holes to gap,
> and while they are there containers are particularly insecure. 

Worth knowing!

> The advantage of containers that we do need to be aware of, is that it
> allows for greater flexibility of resource sharing. For instance, you
> can leave
> all processes to use the disk cpu freely, while they are restricted
> for memory only. This can be handy in some cases, but it is probably
> not that broadly
> relevant.

They also share e.g. a page cache, although with multiple containers I
don't know how beneficial that is in practice -- do they have any sort
of "cross-container" memory sharing?

Ian.


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity