Docker provides a way to package applications into containers that can be run on any infrastructure. It uses namespaces and cgroups to isolate processes and share resources efficiently. The key components are images which are read-only templates for building containers, registries for storing images, and containers which combine an image with writable layers and metadata to run applications anywhere. Docker uses a client-server architecture with containers built from images and managed through commands to the Docker daemon which handles building, running, and distributing containers.
Docker is an operating system virtualization tool making waves across cloud technology operations. Ahsan Ullah (Director of Server Engineering) put together a presentation and held a talk / Q & A session to introduce Docker to our engineering division.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Dojo given at ESEI, Uvigo.
The slides include a set of great slides from a presentation made by Elvin Sindrilaru at CERN.
Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
Docker is an operating system virtualization tool making waves across cloud technology operations. Ahsan Ullah (Director of Server Engineering) put together a presentation and held a talk / Q & A session to introduce Docker to our engineering division.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Dojo given at ESEI, Uvigo.
The slides include a set of great slides from a presentation made by Elvin Sindrilaru at CERN.
Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
Introduction to automated environment management with Docker Containers - for...Lucas Jellema
(presented at the AMIS Platform SIG session on October 1st 2015, Nieuwegein, The Netherlands)
Creating and managing environments for development and r&d activities can be cumbersome. Quickly spinning up databases and web servers, using physical resources in a smart way, installing application components and having everything talk to each other can take a lot of time. This presentation introduces Docker - the key aspects of build, ship and run. It discusses the main concepts and typical actions.
Next, it takes you by the hand and introduces you to Vagrant and Virtual Box for quickly provisioning VMs in which Docker containers run platform components, applications and microservices - all environments fine tuned using Puppet and interacting with Git(Hub). We start from zero on your laptop and end with local environments in which to develop, test and run various types of applications.
The presentation spends some time on Oracle 's position regarding Docker and containers.
presentation held at SUSE Linux Expert Forum December 2014
Linux container history and Linux namespaces
examples include:
* Move a VPN connection to its own namespace(p 25)
* User namespaces demo(p 28)
see collection of useful articles and advanced container usecases pp 29
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
The first release of Docker only supported AUFS, and AUFS was available (out of the box) only on Debian and Ubuntu kernel. Then Red Hat wanted Docker to run on its distros, and contributed the Device Mapper driver, and later the BTRFS driver, and recently the overlayfs driver.
Jérôme presents how those drivers compare from a high-level perspective, explaining their pros and cons.
Then he showed each driver in action, and look at low-level implementation details. We won't dive into the golang implementation code itself, but we will explain the concepts of each driver. This will help to better understand how they work, and give some hints when it comes to troubleshoot their behaviour.
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
Namespace, CGroup, and Union file-system are the basic building blocks of a container. Let’s have our focus on file-system. Why yet another file-system for the container? Is Conventional Linux file-systems like ext2, ext3, ext4, XFS, etc. not good enough to meet the purpose? In this blog post, I will try to answer these questions. Here we will be delving deeply into the Union File System and a few of its essential properties.
À l’occasion de l’industrialisation de l’usine logicielle au sein du projet Libon d’Orange, l’introduction des conteneurs a révolutionné le développement, la construction et le déploiement des applications grâce à la mise en place d’une nouvelle plateforme d’intégration continue entièrement conteneurisée. Dans le cadre d’une démarche DevOps, les conteneurs ont simplifié la mise en place des principes du Continuous Delivery en offrant de nouveaux outils partagés par l’ensemble des acteurs de la chaîne de valeur simplifiant les processus de livraison et ouvrant les portes de la scalabilité et de la résilience. Nous montrerons en quoi les conteneurs ont fluidifié nos processus de développement et comment cette intégration en douceur dans notre quotidien nous donne aujourd’hui la confiance nécessaire pour une utilisation future en Production.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
Introduction to automated environment management with Docker Containers - for...Lucas Jellema
(presented at the AMIS Platform SIG session on October 1st 2015, Nieuwegein, The Netherlands)
Creating and managing environments for development and r&d activities can be cumbersome. Quickly spinning up databases and web servers, using physical resources in a smart way, installing application components and having everything talk to each other can take a lot of time. This presentation introduces Docker - the key aspects of build, ship and run. It discusses the main concepts and typical actions.
Next, it takes you by the hand and introduces you to Vagrant and Virtual Box for quickly provisioning VMs in which Docker containers run platform components, applications and microservices - all environments fine tuned using Puppet and interacting with Git(Hub). We start from zero on your laptop and end with local environments in which to develop, test and run various types of applications.
The presentation spends some time on Oracle 's position regarding Docker and containers.
presentation held at SUSE Linux Expert Forum December 2014
Linux container history and Linux namespaces
examples include:
* Move a VPN connection to its own namespace(p 25)
* User namespaces demo(p 28)
see collection of useful articles and advanced container usecases pp 29
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
The first release of Docker only supported AUFS, and AUFS was available (out of the box) only on Debian and Ubuntu kernel. Then Red Hat wanted Docker to run on its distros, and contributed the Device Mapper driver, and later the BTRFS driver, and recently the overlayfs driver.
Jérôme presents how those drivers compare from a high-level perspective, explaining their pros and cons.
Then he showed each driver in action, and look at low-level implementation details. We won't dive into the golang implementation code itself, but we will explain the concepts of each driver. This will help to better understand how they work, and give some hints when it comes to troubleshoot their behaviour.
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
Namespace, CGroup, and Union file-system are the basic building blocks of a container. Let’s have our focus on file-system. Why yet another file-system for the container? Is Conventional Linux file-systems like ext2, ext3, ext4, XFS, etc. not good enough to meet the purpose? In this blog post, I will try to answer these questions. Here we will be delving deeply into the Union File System and a few of its essential properties.
À l’occasion de l’industrialisation de l’usine logicielle au sein du projet Libon d’Orange, l’introduction des conteneurs a révolutionné le développement, la construction et le déploiement des applications grâce à la mise en place d’une nouvelle plateforme d’intégration continue entièrement conteneurisée. Dans le cadre d’une démarche DevOps, les conteneurs ont simplifié la mise en place des principes du Continuous Delivery en offrant de nouveaux outils partagés par l’ensemble des acteurs de la chaîne de valeur simplifiant les processus de livraison et ouvrant les portes de la scalabilité et de la résilience. Nous montrerons en quoi les conteneurs ont fluidifié nos processus de développement et comment cette intégration en douceur dans notre quotidien nous donne aujourd’hui la confiance nécessaire pour une utilisation future en Production.
A Gentle Introduction To Docker And All Things ContainersJérôme Petazzoni
Docker is a runtime for Linux Containers. It enables "separation of concern" between devs and ops, and solves the "matrix from hell" of software deployment. This presentation explains it all! It also explains the role of the storage backend and compares the various backends available. It gives multiple recipes to build Docker images, including integration with configuration management software like Chef, Puppet, Salt, Ansible. If you already watched other Docker presentations, this is an actualized version (as of mid-November 2013) of the thing!
Introduction to OS LEVEL Virtualization & ContainersVaibhav Sharma
This Presentation contains information about os level virtualization and Containers internals. It has used other material on slide share which is referenced in Notes of PPT
Linux Container Brief for IEEE WG P2302Boden Russell
A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers:
- Definitions and motivations for containers
- Container technology stack
- Containers vs Hypervisor VMs
- Cgroups
- Namespaces
- Pivot root vs chroot
- Linux Container image basics
- Linux Container security topics
- Overview of Linux Container tooling functionality
- Thoughts on container portability and runtime configuration
- Container tooling in the industry
- Container gaps
- Sample use cases for traditional VMs
Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.
UNIX Internals - UNIT-I, General Overview of the system, General Overview of the UNIX system, General Overview of the system in UNIX,General Overview of the system of UNIX
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
In this session we'll discuss some of Kubernetes' basic concepts and talk about the architecture of the system, the problems it solves, and the model that it uses to handle containerized deployments and scaling.
Visualpath is the best Kubernetes Training Institute in Hyderabad. We are providing Online & Classroom Training classes by real-time faculty with real time Projects. You will get the best course at an affordable cost. Call on - +91-9989971070.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
The building blocks of docker.
1. Ready to get shipped?
By Chafik Belhaoues
@XebiaFr
2. Introduction [History & newness of the idea]1
Anatomy of the building blocks2
Namespaces3
cgroups5
Storage backends6
Execution environments7
3. A little bit of history:
The marine containers have been created in 1956 par Malcom Mclean in NewYork, just because
time is money (-90% of transport costs).
BEFORE AFTER
6. The need of containerization:
Develop, ship, and run applications {everywhere}.
Concept? Product? Life-cycle engine? …you said {DevOps} tool?
A single, runnable, distributable executable.
What is the difference with the other form of virtualization then?
Open source [CS version].
Not OS-related [theoretically].
No hypervisor needed.
A different [new] vision of IT.
Closer to the most IT needs.
7. Hardware-centric:
A VM packages a full stack (virtual hardware, kernel, a user space).
Designed with machine operators in mind, not software developers.
VMs offer no facilities for application versioning, monitoring, configuration, logging or service
discovery…
Application-centric:
Packages only the user space; there is no kernel or virtual hardware.
Sandboxing method known as containerization = Application virtualization.
8. Overview:
Docker is based on a client-server architecture. The client {user commands} talks to the Docker
Daemon.
Daemon: runs on a host machine.
Client: accepts commands from the user and communicates back and forth with a Docker
Daemon using API.
3 components involved: build..ship..run
Images: a read-only template, images are the build component of Docker.
Registries: hold images, the distribution component of Docker.
Containers: holds everything that is needed for an application to run, the run component of
Docker
10. Anatomy of the building blocks:
Apartment complex analogy:
1. Each apartment will require water and electricity and these resources should be distributed
fairly {resources}.
2. The apartments are isolated with walls to keep people separate from their respective neighbors
{isolation}.
3. Each apartment also has a door, lock, and keys {security}.
4. Finally, most apartment complexes benefit from a manager who works to ensure a consistent
and clean steady state of operations {management}.
By analogy to system resources required for a container, the kernel should implement 4
elements:
- Resource Management.
- Process Isolation.
- Security.
- Tooling (CLI).
11. Resource management is provided by control groups (cgroups).
Process isolation is provided by kernel namespaces.
Security is provided by policy manager like: SELinux
Overall management by Docker CLI.
12. Namespace:
Wraps a global system resources in an abstraction.
Changes are visible only inside the namespace.
Kernel namespaces allow the new process to have its own hostname, IP address and a whole
network stack, filesystem, PID, IPC stack, and even user mapping.
The container to look a VM.
Kernal space:
Strictly reserved for running a privileged operating system kernel, kernel extensions, and most
device drivers, the gate to this land is managed by CAP_SYS_ADMIN capability starting with
kernel 2.2 [before it was the superuser, or root, ID 0].
User space [userland]:
The memory area where application software and some drivers execute.
14. Playing with Syscalls:
clone:
Creates a new process, in a manner similar to fork then creates new namespaces for every flag
CLONE_NEW*.
Unlike fork, the child process is allowed to share parts of its execution context with the calling
process (the memory space, the table of file descriptors, the table of signal handlers…).
setns:
Allows the calling process to join an existing namespace.
unshare:
Moves the calling process to a new namespace in other words: disassociates parts of its execution
context that are currently being shared with other processes (or threads).
15. Namespace Date Kernel version
mount 2002 2.4.19
uts 2006 2.6.19
ipc 2006 2.6.19
pid 2008 2.6.24
net 2009 2.6.29
user 2013 3.8
16. MNT namespace:
Isolate the set of filesystem mount points.
Means that processes in different mount namespaces can have different views of the filesystem
hierarchy.
The container “thinks” that a directory which is actually mounted from the host OS is exclusive to
the container.
Interacting with this namespace is simply done by mount/umount syscalls.
All about Isolation…
17. PID namespace:
Isolate the process ID number space = processes in different "PID namespaces" can have the same
PID.
The container thinks it has a separate standalone instance of the OS.
Technically, the new process created in a new namespace will be the famous PID 1 "init“.
Inside the namespace fork/clone syscalls will produce processes with PIDs that are unique.
This mechanism allows containers to provide functionality such as:
suspending/resuming the set of processes.
PID consistency on migration.
18. NETNS namespace:
Logically another copy of the network stack, with its own routes, firewall rules, and network
devices.
It means each network namespace has its own network devices, IP addresses, IP routing tables,
/proc/net directory, port numbers...
It allows a container to have its own IP address, independent of that of the host.
19. UTS namespace [UNIX Time Sharing]:
Historically the term "UTS" derives from the name of the structure passed to the uname() system
call: struct utsname.
{Initially the time sharing was invited to allow a large number of users to interact concurrently
with a single computer by the sharing of a computing resource among many users by means of
multiprogramming and multi-tasking at the same time}.
This mechanism isolates two system identifiers nodename and domainname.
It allows the containers to have its own separate identity {hostname and NIS domain name}.
20. IPC namespace:
IPC (POSIX/SysV IPC) namespace provides isolation/separation of IPC resources:
Named shared memory segments.
Semaphores.
Message queues.
Why this need ?
Shared memory segments are used to accelerate inter-process communication at memory speed,
rather than through pipes or through the network stack. It is commonly used by databases and
custom-built high performance applications for scientific computing and financial services
industries. If these types of applications are broken into multiple containers, you might need to
share the IPC mechanisms of the containers.
21. User namespace:
The last namespace to be implemented, integrated in the kernel mainstream starting from 3.8
BUT in technical preview in almost all Linux distros.
A process's user and group IDs can be different inside and outside a user namespace, that means
a process can have a normal unprivileged user ID outside a user namespace while at the same
time having a user ID of 0 inside the namespace. Which in term of isolation, makes the user and
group ID number spaces totally separated.
22. cgroups:
Traditionally, all processes received similar amount of system resources and all the tuning goes
through the process niceness value.
A mechanism to organize processes hierarchically and distribute system resources — such as CPU
time, system memory, network bandwidth, or combinations of these resources — along
the hierarchy in a controlled and configurable manner.
Every process belongs to one and only one cgroup.
Initially, only the root cgroup exists to which all processes belong.
All processes are put in the cgroup that the parent process belongs to at the time.
Two parts of cgroups:
1. core: primarily responsible for hierarchically organizing processes.
2. controller: responsible for distributing or applying limits to a specific type of system resource.
23. blkio: sets limits on input/output access to and from block devices.
cpu: uses the CPU scheduler to provide cgroup tasks an access to the CPU.
cpuacct: creates automatic reports on CPU resources used by tasks in a cgroup.
cpuset: assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup.
devices: allows or denies access to devices for tasks in a cgroup.
freezer: suspends or resumes tasks in a cgroup.
memory: sets limits on memory used by tasks in a cgroup.
net_cls: tags network packets with a class identifier (classid) that allows the traffic controller to
identify packets originating from a particular cgroup task.
perf_event: enables monitoring cgroups with the perf tool.
hugetlb: allows to use virtual memory pages of large sizes, and to enforce resource limits on these
pages.
24. Union filesystem:
A stackable unification file system, which merges the contents of several directories (branches),
while keeping their physical content separate.
Builds file systems that operate by creating layers, allow files and directories of separate file
systems {branches}, to be transparently overlaid, forming a single coherent file system.
It allows any combination of read-only and read-write branches, as well as insertion and deletion
of branches anywhere in the tree.
25. AUFS [Another Union File System]:
Since V2 it stands for "advanced multi layered unification filesystem“.
It was the first storage driver in use with Docker, developed in 2006 as a complete rewrite of the
earlier UnionFS.
According to Docker:
AUFS is not included in the mainline (upstream) Linux kernel. It was rejected because of the
dense, unreadable, and uncommented code.
26. OverlayFS:
Merged in the Linux kernel in 2014, kernel version 3.18.
The natural successor to aufs.
Combines two filesystems - an 'upper' filesystem and a 'lower' filesystem.
When a name exists in both filesystems, the object in the 'upper' filesystem is visible while the
object in the 'lower' filesystem is either hidden or, in the case of directories, merged with the
'upper' object.
27. DeviceMapper [storage backend ]:
Initially developed by Redhat as an alternative to AUFS.
Based on snapshots.
Uses allocate-on-demand.
28. Container format:
Docker wraps all the previous components into an execution environment or driver called
{container format}.
Traditional container drivers: OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm,
BSD Jails, Solaris Zones, and even good old chroot.
The new execution drivers: moving from libcontainer to runc & containerd.