delandtj
commented
3 years ago since we're moving is a big word.... I don't think that is a decision that has already been taken.
We need to look into the granularity of such a thing. Starting a container as opposed to starting a container/application in a vm is not a panacea. The main problem with vms (not counting that it's more expensive in terms of cpu/performance), is that we need to be very avaricious about how we allocate memory for an application.
So MicroVMs is definitely where we want to go. The term for these beasts is definitely in serverless, where the get spun up for a single application, mostly a function, and dies after that.
For running containers in VMs, it's about security mostly, where we separate real users (ssh access, for instance) from the real host. but running a VM per container will eat away on very scarce memory, as suddenly, you need a WHOLE OS to just run some python code.
I don't think we can use a VM for each workload separately.... Baidu does it, but they have their own HW to alleviate loss of mem due to VM overhead. The more, they really define their cloud more a a serverles/function cloud, and not, as we do, an all-purpose one
nevertheless, running a VM for containers is still a better idea than say rootless containers in terms of security, but we still need to see the repercussions of doing so before starting to think it's the warm water reinvented
muhamadazmy
Currently containers (using containerd) can mount extra volumes that are pre reserved. These are created as a btrfs sub-volumes. We already faced some issues related to btrfs quotas.
Since we are moving to cloud-hypervisor containers (basically running containers in virtual machines) wouldn't it make more sense to create those volumes as raw disks instead. This brings the following benefits:
Drawbacks: