vege - Fotolia


How and why to use system containers in production

System container platforms, such as OpenVZ and LXD, make it possible to run complete operating systems inside of containers. Expert Christopher Tozzi outlines the options.

You know all about Docker. But what about OpenVZ and LXD? Or, ahem, Solaris Zones?

If the latter names don't ring a bell, you have a fair bit left to learn about the container landscape writ large. Those are all system container platforms. System containers are poised to become increasingly important in building next-generation infrastructure.

Want to learn more about system containers? Wondering when and how to use them in production? This article's for you.

System containers vs. Docker

Perhaps the easiest way to define what system containers are is to explain how they are different from Docker.

If you're reading this, you probably already know all about Docker. Docker is a platform that allows you to run individual applications inside software-defined container environments. In other words, Docker is an application container platform.

In contrast, system containers let you run an entire operating system inside a container. This makes them fundamentally different from Docker.

System containers and Docker are not competitors. In fact, you could use system containers to host an OS on which you then run Docker, if you wanted -- although that is certainly not the only possible use case for system containers.

System containers vs. virtual machines

If running an OS inside a software-defined environment sounds similar to what you've been doing for years now with virtualization platforms like VMware or KVM, it's because it is. Virtual machines and system containers provide the same basic functionality.

However, system containers are different from virtual machines because system containers don't emulate hardware. Instead, like application containers, system containers extend processes that are already running on the host system.

This design creates some limitations. One is that system containers cannot serve as hosts for guest operating systems that are very different from the host. Since most system container platforms run only on Linux, that means you can't use system containers to run Windows workloads.

Yet, the unique approach of system containers also provides some key advantages over virtual machines. The biggest is that system containers have a smaller footprint. This leads to better performance. For instance, Canonical, which supports development of the LXD container platform, claims that an LXD host can run about 14.5 times as many guests on the same server as KVM. It also says LXD guests start 94% faster.

System containers also make it much easier for software running inside a virtual environment to gain direct access to resources on the host. In other words, they do not abstract the guest environment from the underlying hardware in the same way that virtual machines do.

System container platforms

Now that you know what system containers are and how they are different from Docker and virtual machines, you're probably wondering which platforms support system containers. Currently, the two major system container platforms that are eyeing enterprise workloads are LXD and OpenVZ.

As noted above, LXD was developed with support from Canonical, the company behind Ubuntu Linux. LXD provides a system daemon for controlling LXC, or Linux Containers, a container solution built into the Linux kernel, as well as some tools for working with LXC.

LXD is quite new. Its first stable release debuted in April 2016. (The first stable release was LXD 2.0, but there never was an LXD 1.0; the versioning reflects an effort to keep LXD release numbers consistent with LXC releases.)

OpenVZ has been around longer. It was first released in 2005. The main company backing OpenVZ development today is Virtuozzo, which offers a commercial implementation of OpenVZ that features user-friendly installation and management tools. In this sense, OpenVZ is currently more enterprise-ready than LXD, which does not yet have a well-developed suite of deployment and administration tools.

The list of system container platforms would not be complete without mention of Solaris Zones, a solution for running instances of the Solaris operating system inside of containers on top of Solaris hosts. Solaris Zones are not useful outside of the Solaris world, but they were the first system container solution to emerge, and they are very handy if you work with Solaris.

When to use a system container

Now, the big question: Should you use a system container or should you stick with traditional virtual machines?

The answer will vary from organization to organization, of course. But here's a list of situations in which you might want to consider shifting workloads to system containers:

  • Your guest instances are small. If the operating systems you need to run inside the virtual environment are minimalist -- for instance, if you're hosting a small Linux OS with only a few services running on top of it -- you'll get more mileage from system containers. If, on the other hand, your guest will be a full-blown OS, you're likely to benefit from the additional control that a virtual machine provides.
  • You want an open platform. Some virtualization hypervisors, like KVM, are open source. Others, like VMware, are closed. In contrast, LXD and OpenVZ are both open source. This makes them a better choice if you like pure-play solutions or are worried about vendor lock-in.
  • Your guests are Linux-based. As noted above, system container platforms currently support only Linux (or Solaris, in the case of Solaris Zones). If the guest instances that you want to run are based on Linux, system containers will work well for you. But don't try them if you need to run Windows virtual servers.
  • You need to run machine-level apps. One advantage of system containers is that they provide guests with direct access to system resources. You can generally achieve similar functionality through "pass-through" features on virtual machine platforms like VMware, but it is much clunkier and more limited there. If you want all of your guest instances to have bare-metal access and performance by default, system containers can help you achieve that.
  • You don't need advanced tooling. One disadvantage of system containers, at least for now, is that the tools for managing them are comparatively basic. VMware has spent more than a decade creating robust, user-friendly management and orchestration tools, like vSphere. Those don't yet exist at the same level of maturity for system containers.

To be sure, system containers are not a universal replacement for virtual machines. The infrastructure of the future will be built on a combination of traditional virtual machines, application container platforms, like Docker, and system container platforms, such as OpenVZ and LXD. The most important thing to understand about all of these solutions is that, while their functionality overlaps in some ways, they're complements to each other, not competitors.

Next Steps

Redefining containers with Docker

How Docker portability uses new cloud integrations

How to secure Docker

Dig Deeper on Managed Kubernetes and container services