Containerization-Models
In order to deeply understand the container models and their variation, we have grouped them in this wiki.
Application Containers
Application containers package an application with all of its dependencies including executables and libraries to run the application independent of the execution environment. Examples of application containers are as the following table. Some of the application containers come with sandbox feature. Running an application container in a sandbox limits its access to the host operating system to minimize the security risks.
Name | Supported Operating Systems | Sandbox | Root Access | Hydra Release |
---|---|---|---|---|
Ubuntu Snappy (snap) | GNU/Linux | For strict confinment | Installation | Amber Stable |
XDG Flatpak (xdg-app) | Linux | Yes by default | Rootless | Not planned |
AppImage | Linux | Optional (firejail) | Rootless | Not planned |
Zero Install | Linux, Unix, macOS, Windows | Optional (EBox) | Rootless | Not planned |
Process Containers
A Process Container deals with the processes rather than applications and virtualizes them using namespaces and control groups in Linux. This virtualization alters the process' view of the host operating system in terms of accessible resources. Sandboxing is also a common practice for process containers. Process containers load a full high-level operating system on top of the low-level operating system which includes the kernel and minimal stack of tools and libraries.
A Container Engine is a stack of software capable of building, publishing, extracting, running, and controlling process containers. Running process containers is done by a Container Runtime which has a high-level part responsible for extracting the Container Image to an Executable Bundle and setting up the environment including the networking and storage and a low-level part responsible for executing the bundle and applying those configurations. The following software solutions are offered as container engines with their default stack of software. The design for both of them are pluggable, hence, different tools other than default could be applied.
Name | Supported Standards | Default Runtimes | Image Builder | Image Manager | Modes | Hydra Release |
---|---|---|---|---|---|---|
Docker Engine | Docker Schema + OCI | containerd over runc | Build-kit | Distribution | dockerd, Compose, Swarm, K8s | Amber Stable |
Podman | OCI | cri-o over crun | Buildah | Skopeo | Compose, Kube Play, K8s | Amber Edge |