Lightweight isolated linux environment

Chroot is the lightest weight environment that could suit you. It allows you to install another distribution (or another installation of the same distribution), with the same users, with the same network configuration, etc. Chroot only provides some crude isolation at the filesystem level. Browsing this site for chroot might help, if you're still not sure what chroot can and can't do.

If you're looking for the next step up, LXC is now included in the kernel mainline. An LXC guest (called a container) has its own filesystem, process and network space. Root in the container is also root on the host; LXC protects against many accidental actions by a guest root but not against a malicious guest root (this is a planned feature, watch this space).

Other technologies that are somewhat similar to LXC are VServer and OpenVZ. An important feature that OpenVZ provides but not VServer or LXC is checkpoints: you can take a snapshot of a running machine and restore it later. Yet another candidate is User-mode Linux, which runs a complete Linux system inside a process that runs as an ordinary user in the host.

For the purposes of experimenting with another OS installation, chroot is fine. If you want to run services in the experimental installation or play with networking, go for LXC. If you want snapshots, use OpenVZ. If you want a completely separate kernel but little memory overhead, user User-mode Linux. If you want snapshots and a separate kernel, use VirtualBox.

Docker makes LXC easier to use:

Notable features

Filesystem isolation: each process container runs in a completely separate root filesystem.

Resource isolation: system resources like cpu and memory can be allocated differently to each process container, using cgroups.

Network isolation: each process container runs in its own network namespace, with a virtual interface and IP address of its own.

Copy-on-write: root filesystems are created using copy-on-write, which makes deployment extremely fast, memory-cheap and disk-cheap.

Logging: the standard streams (stdout/stderr/stdin) of each process container is collected and logged for real-time or batch retrieval.

Change management: changes to a container's filesystem can be committed into a new image and re-used to create more containers. No templating or manual configuration required.

Interactive shell: docker can allocate a pseudo-tty and attach to the standard input of any container, for example to run a throwaway interactive shell.

Under the hood

Under the hood, Docker is built on the following components:

• The cgroup and namespacing capabilities of the Linux kernel

• AUFS, a powerful union filesystem with copy-on-write capabilities

• The Go programming language

• lxc, a set of convenience scripts to simplify the creation of linux containers.

Look into OpenVZ or Linux Containers, both of which implement a lightweight pseudo-virtualised environment with unique userlands on a common kernel.

OpenVZ is more mature at this stage.