A container is a virtual space containing a set of limited resources. They are used to isolate sets of applications and establish virtual environments.
- Concept of container
- Containers hierarchy
- Process isolation
- Virtual hardware
- Virtual filesystem
- Performances
- Limitations
A container is represented by a single 64-bit identifier, randomly generated by the kernel. It is attached as a process' attributes.
It is created, managed and destroyed by the sys::proc
service.
A given container may create child containers, in which case the creator is called the parent container.
When a container is destroyed, all children containers in the hierarchy are destroyed as well.
Processes in containers can only communicate with processes of the same container. No outside access is permitted.
In practice, communication with system services is possible thanks to them being aware of the container's informations when receiving a process request.
Communication with the kernel is fully permitted, with limitations applying to the container itself.
No hardware device is available by default to a container. Real hardware devices can be connected using a passthrough method from the parent container, and virtual hardware devices can be plugged as well.
The main filesystem of a container is by default a virtual filesystem stored inside a virtual storage file (VSF).
The parent container cannot directly connect a part of its own filesystem into a child's one ; it needs to setup a virtual storage device, which can then be mounted using the related system services.
Note that the system has builtin support for a set of virtual devices which are meant to be used on containers, with native support, which permits to prevent any driver overhead.
Performances of a container are exactly the same as a normal running program, given there is no emulation of any sort.
However, some I/O operations may result in a small overhead given that system services, as well as the kernel, need to check the permissions associated to the container in addition to transmitting methods and notifications from virtual hardware devices.
A container can be created instantly.
A container can only run NightOS applications. As it is not a virtul machine, the kernel version and behaviour will also remain exactly identical across all containers, and upgrading the kernel itself will upgrade it for all containers as well.
If an application is not directly installed inside a container but instead shared as a mount point from the parent container, upgrading or removing the application will have the same effect in the child container.