The more complex a program or application, the more likely it contains exploitable or otherwise dangerous faults. Containers are a way of limiting the damage by limiting an application access to the bare minimum. Ideally we would have a separate and instantly replaceable computer for every little daemon and service we run. Sadly, even with virtual machines, this would hardly be an efficient use of resources, so containers try to find a middle ground by allowing us to separate applications almost as if they were running on different machines, while actually sharing the same hardware and operating system kernel.
Several features come together to make this possible:
- chroot
- namespaces
- cgroups
And it is a good idea to augment them with others:
- seccomp-bpf syscall filter
- packet filtering (ebtables)
- virtual network devices
- apparmor
Armed with these keywords, your week should now be filled with interesting and productive reading. :-)
If all you want are some opinionated basics however, read on: