Discover more from Bitesized Engineering
Containers are like The Truman Show
Chronicles of Containers - Part 4
I’ve been gearing it a bit up this week and that’s why I’m publishing a bit more than usual. And this really happens a lot - the moment I get interested in a topic and the more I gain knowledge of it, the more I’m curious and the faster do I produce content. Does that happen to you as well?
Anyway, this is kind of the analogy I like because it’s simple to understand. Well, assuming you did watch The Truman Show. Check of the image first and, as usual, more details can be found below it.
(click on the image to expand it)
Interestingly enough, from the point of view of Container (or better said - process runing inside of container) - it has no clue that it's "containerized". It sees a fully functional file system, has it's own registry (in Windows at least), sees a full processlist with only processes relevant to it ... Objectively, without diving deeper, process sees everything as if it were running "normally". It's actually quite a funny exercise to figure out whether you're in container or not :)
This is why I like to say that it's like The Truman Show. Everything looks normal and you think it's 'business as usual'. But it's not. You are actually locked inside somebody else's environment and that someone has a fully overview of what you are doing. And that someone is Host's Operating System.
One potential issue, just like in The Truman Show is that, once you figure out that you are inside a "cage" (or, container), you might want to try and break out. Even worse if you are a malicious app running inside container. You might intentionally want to break out, gain access to Host OS and then elevate yourself to admin.
What I described above is referred to as "Process Isolation". Your container is "isolated" within a process but it could try to GET OUT of that process. But there's a better way and it's called "Hyper-V Isolation". In Hyper-V isolation mode, your container is running inside a very lightweight VM but given that VM communicates directly to Hardware, you get quite some security and isolation, at the cost of some performance.
I will do some deeper dive into Process vs Hyper-V isolation, but what's important to remember for now is that Container is really nothing more than a Process inside your machine. And this has pros (e.g. lighweightedness) and cons (e.g. security).
Next time I'll take a step deeper into the whole matter and discuss some low-level stuff (containerd, hcshim, hcs, etc.). And best way not to miss next article is to subscribe to the newsletter, if you haven’t already :)
Other articles in the Container series:
Container is not a VM - and what that really means? (Part 3 of the series) - a glimpse into some of the main differences between the two.
How do COWs (Containers on Windows) work? (Part 5 of the series) - specific focus on running containers natively on Windows.
Intro to Container Networking (Part 6 of the series) - provides introduction to how networking works inside containers.