How Containers Are Different From Virtual Machines

I teach a variety of courses including Virtualization, Software-Defined Networking and Cloud Computing. A very common question I often hear from my students learning cloud-computing or virtualization is “what is the difference between a virtual-machine and a container?”

Before answering it, let’s first talk about “Hypervisor-based virtualization” which produces virtual-machines. There are two types of hypervisors: type 1 and type 2 (seems like diabetes ehh..). Type 1 hypervisors are known as Bare-Metal hypervisors whereas type 2 hypervisors are referred as Operating System-Level hypervisors. The example of type 1 is KVM and type2 is VirtualBox (open-source hypervisor) as well as many commercial ones from VMware, Microsoft and other vendors.

In hypervisor-based virtualization, multiple applications run on a single physical server acting as multiple virtual servers. These virtual-servers are known as Virtual Machines & the physical server is referred as Host Machine. Each VM is called guest which hosts an application. Each VM needs share of host’s CPU, RAM & other resources. It is possible that guest Operating System may consume lot of host’s resources limiting the number of VMs a host can have. Virtual machines use dedicated resources and generally static in that requirement aspect.

Now let’s discuss Containers which are very important today in NFV (Network Function Virtualization) environment where virtual appliances (router, switch, firewall, load balancer etc.) are packaged as Containers. Also they are equally important in Software-Defined Networking setups. Wikipedia defines Container as, “An operating-system-level virtualization environment for running multiple isolated Linux systems (Containers) on a single Linux control host.”

Each application runs as a separate Container and each Container runs as a process for the host Operating System. Here Containers use the host Operating System’s kernel and that is why they are lighter. Container Operating System is a modified Operating System without kernel which makes system calls to host kernel. It takes advantage of two functionalities offered by a Linux kernel which are “namespaces” and “cgroups”.

In “namespaces”, processes are isolated such that they cannot see each other’s resources. Each process has its own process ID namespace, user namespace, networking namespace, mount namespace, etc. Control Groups (cgroups) manages & maintains resources like RAM, CPU, network, etc. among the running processes.

In short, Containers are easier and lighter to deal with compare to virtual-machines. Their resource consumption is dynamic like Operating System processes and therefore more and more containers can be accommodated by host machine or in other words containers enable the optimized utilization of a host Operating System’s resources. Containers can be easily imported/exported and now they are also supported by non-Linux vendors like Microsoft.

If you are wondering about isolation and security concerns among various containers running over same host and sharing its kernel then please wait for my next blog where I will be addressing privacy and security related issues in a Container-based virtualization environment.