The rapid development of Docker in recent years has made containers popular again. However, Docker is described as “old wine in new bottles” in many materials. In addition to containers, virtual machines are also the virtualization technology that we are more or less exposed to. Both virtual machines and containers are used to create isolated virtual environments, but there are significant differences between the two virtualization technologies, which will be discussed in today’s article.
The virtual machine
Virtual machines (VMS) are operating systems that share the physical resources of a server. It is a Guest on the host hardware and is therefore also referred to as a Guest VIRTUAL machine.
Virtual machines consist of several layers. The layer that supports virtualization is the hypervisor. A hypervisor is software that virtualizes a server.
How does a virtual machine work
Everything needed to run the application is contained in the virtual machine — the virtualized hardware, the operating system, and any required binaries and libraries. Therefore, virtual machines have their own independent infrastructure.
Advantages of virtual machines
Virtual machines can reduce the cost of server equipment and can use a physical server resources divided into multiple independent virtual machines to do a lot of work.
With only one host, all virtual environments can be efficiently managed using the centralized capabilities of the virtual machine hypervisor. These systems are completely independent of each other, which means you can install different system environments in different virtual machines.
Most importantly, the virtual machine is isolated from the host operating system and is a safe place for experimentation and application development.
Disadvantages of virtual machines
The SIZE of a VM (GB) occupies a large amount of system resources on the host. Running a single application on a virtual server means running the Guest OS as well as virtual copies of all the hardware the Guest OS needs to run. This quickly adds a lot of RAM and CPU consumption.
The process of migrating applications running on a virtual machine can also be complex because it is always attached to the operating system. Therefore, both the application and the operating system must be migrated. Similarly, when a virtual machine is created, the hypervisor allocates hardware resources dedicated to the VM. But it’s still economical compared to running a separate physical server.
The container
A container is an environment that runs applications independent of the operating system. It uses Linux Namespaces and Cgroups technology to isolate and restrict application processes. Namespace is used to isolate application processes by allowing them to see only the world in the Namespace. The Cgroups function is to limit the host resources allocated to the process. But to the host, these “quarantined” processes are not much different from other processes.
A container is just a special process running on a host, and multiple containers use the same host operating system kernel.
More on Namespaces and Cgroups, except that they allow you to quarantine and restrict application processes.
How does the container work
The function of a Namespace is isolation. It allows the application process to see only the world in the Namespace. Cgroups, on the other hand, are limits. They put invisible walls around the world. By mounting a Namespace, the container process can modify its own “Mount point” of the file system. Remount the entire root directory “/” of the container process before it starts (changing the process’s file system via pivot_root, or using chroot if not supported by the system), which is invisible to the host due to the Mount Namespace. This file system, mounted at the root of the container and used to provide an isolated post-execution environment for container processes, is known as a “container image.” It also has a more technical name: rootFS. Rootfs is only the files, configurations, and directories contained in an operating system, not the operating system kernel.
So rootFS only includes the “body” of the operating system, not the kernel. All containers on the same machine share the kernel of the host’s operating system.
This means that if an application in a container needs to configure kernel parameters and interact directly with the kernel, this is the kernel of the host operating system that operates on, and it is a “global variable” that affects all containers on the machine. This is one of the main disadvantages of containers compared to virtual machines: virtual machines, after all, have simulated hardware machines that act as sandboxes, and each virtual machine has a full Guest OS running for applications to mess with. But because rootFS packages not just apps, but files and directories for the entire operating system, it means that the app, and all the dependencies it needs to run, are packaged together. This gives the container what’s called consistency: whether it’s local, in the cloud, or on a machine anywhere, all the user needs to do is unpack the packaged container image and the entire execution environment that the application needs to run is reproduced.
Advantages of containers
The size of the container is much smaller than that of the virtual machine, even as small as 10MB, which can easily limit the memory and CPU usage of the container. Containers are lightweight and start up quickly compared to virtual machines where applications need to deploy the entire operating system. This allows us to quickly extend the container and add the same container.
Likewise, containers are an excellent choice for continuous integration and continuous deployment (CI/CD) implementations. They facilitate collaborative development by distributing and merging images among developers.
Disadvantages of containers
Containers still do not provide the same security and stability as virtual machines. Because they share the host kernel, they cannot be completely isolated like virtual machines.
Containers are process-level isolation, and one container can affect other containers by affecting the stability of the host kernel.
Once the container performs the task, it closes and deletes all of its data. If you want to save data, you must use “data volume” to save data, which needs to be manually configured on the host.
Container or VIRTUAL machine
Above we have listed the advantages and disadvantages of container and virtual machine. After choosing one because of the advantages, we have to put up with the side effects caused by the disadvantages by default. Everything has two sides, and nothing can only have advantages without disadvantages. In terms of containers and virtual machines, because of their complete isolation and security virtual machines are often used for demanding applications, network infrastructures, and applications that consume most of the VM’s resources. Containers are usually used for Web applications, microservices.
This article is formatted using MDNICE