Next: , Previous: , Up: Top   [Contents][Index]

4 Containers

The kernel Linux provides a number of shared facilities that are available to processes in the system. These facilities include a shared view on the file system, other processes, network devices, user and group identities, and a few others. Since Linux 3.19 a user can choose to unshare some of these shared facilities for selected processes, providing them (and their child processes) with a different view on the system.

A process with an unshared mount namespace, for example, has its own view on the file system — it will only be able to see directories that have been explicitly bound in its mount namespace. A process with its own proc namespace will consider itself to be the only process running on the system, running as PID 1.

Guix uses these kernel features to provide fully isolated environments and even complete Guix System containers, lightweight virtual machines that share the host system’s kernel. This feature comes in especially handy when using Guix on a foreign distribution to prevent interference from foreign libraries or configuration files that are available system-wide.