Containers vs Virtual machines

Hello Sean and Karl,

Congratulations for release of your book.
I am currently learning Devops tools to upskill myself.
I am new to the subject of containers.
If containers are doing the job so quickly by launching the Operating System why still there are people who are using VMware Virtual machines?
Do these get outdated in future?

Regards and Thanks,
Ashish.

Hi Ashish
VMs are a more heavyweight alternative to container technology. VMs emulate an entire machine in conjunction with a hypervisor. Containers on the other hand use the host OS.
Where containers shine is when you want to study a technology (such as Oracle Database or Keycloak) but you don't want to do a native installation on your machine. In most cases, a container can be created and run using just a single command.
When you're done with the container, you can just delete it and free up any resources used.

Using Docker also provides the opportunity to learn some basic Linux skills, e.g., opening a terminal in the container.
Best wishes
Stephen

This is a good question, Ashish, and one that many people ask. The critical difference between containers and virtual machines is that containers on the same runtime all share the same Linux kernel. This has both advantages and disadvantages. The ease of integration with the host operating system, and interaction and overlap of containers on the same host can be an advantage both in performance and in resource over-allocation. But the flipside is that it is not as secure because the only barrier between containers is the kernel, rather than actual CPU-level enforcement like you get from a virtual machine. Containers also run a higher risk of noisy neighbor issues than do virtual machines.

Some container runtimes have made the best of both worlds, using micro-vms to run container images rather than a container runtime. We talk about some of this in the book as well.

In general things running in containers on the same host need to be assumed to be cooperating with each other from both a resource and security enforcement standpoint. There are resource utilization and security barriers, but they are just not solid enough to be used to run e.g. workloads publicly configured by end users.

Containers are more than just the runtime, though, as we explain in the book. They make portability and containment of all depedencies for your application easy. The ergonomics are very good, and resource utilization can also be excellent. Those and other workflow/tooling improvements are many of the reasons for their success.

Hi Karl
That's interesting about the micro-vms runtime, thanks!

Any thoughts concerning escape from a container as a root user? Is this addressed in the book?
Best wishes
Stephen

Thanks Stephen and Karl for giving me insights.

Stephen Morris wrote:Any thoughts concerning escape from a container as a root user? Is this addressed in the book?

Escaping the container as root, is indeed something that should be considered.

Docker has a rootless mode nowadays, which can be used to prevent root-privileged containers.

https://docs.docker.com/engine/security/rootless/

in addition to the normal ability to simply change the UID that is used inside the container.

https://docs.docker.com/engine/reference/builder/#user
https://docs.docker.com/engine/reference/commandline/run/  (see: --user)

Shaik Ashish wrote:If containers are doing the job so quickly by launching the Operating System why still there are people who are using VMware Virtual machines?

In addition to Karl's great answer, there are many blog posts and articles about this online if you want to dig into this some more. Searching for "containerization versus virtualization" should get you a lot of results like the one below:


https://www.ibm.com/cloud/blog/containers-vs-vms