Anytime we discuss virtualized products one of the question invariably asked is whether we considered a container-based approach to the product instead of the virtualization. The intent of this article is to provide the technological differences between these two technologies and the reader is free to choose the technology of his choice.
The major benefits Dockers and Virtual machines provide are:
Virtual Platforms – Allow us to build virtual platforms that are functionally equivalent to the real platforms. Example: vSRX is a virtual platform providing the SRX functionality.
Allows Applications developed on different platforms and for different operating systems to run on a single physical server. Now that cloud hosting has become real, it is necessary to run these applications in a very different environment than the environment these applications were developed and tested on. It is not cost effective to have multiple platforms running different operating systems.
Scale-out model – allows multiple instances of the applications without modifying the applications avoiding resource conflicts.
Multi-tenancy – Multi user systems can host multiple users. But not suitable to host multiple tenants, as most objects including file systems, processes, network stack are globally visible causing privacy issues.
In any typical physical platform the HW is controlled by the Operating System (OS). Applications are built to run on top of the operating system. Most operating systems provide libraries, which include commonly used functions and system calls to facilitate application development.
A Virtual machine is a Virtual HW platform. The hypervisor or VMM also called the host OS manages the physical HW and provides multiple virtual HW that can run different operating systems on a single physical server. It does this by emulating the HW and the guest OS is not aware it is running on a physical platform or virtual platform. Virtual HW that can run unmodified guest operating system is called full virtualization. As HW emulation is expensive, for efficiency the guest OS drivers are modified to effectively share the physical HW and this form of virtualization is called para-virtualization. As you can see in the above figure, majority of the code runs unmodified in a isolated virtual HW with the help of HW assists provided by the physical HW.
It runs a single OS and the OS provide isolation using name spaces. In container all applications run as processes within the container. This provides another level of security and processes running in a container don’t see or have access to other containers. To run applications built for other operating systems, container needs a simulated environment with a set of libraries and resources such file systems, networking support. Docker uses the container technology and provides the environment needed to support
Virtual machines emulate the hardware and provide virtual platforms that can run unmodified SW including kernel. In environment where the kernel is heavily modified to fit the needs of the applications for efficiency and other reasons additional work is required to run these applications in the container based environment. Otherwise container based technology offers better resource utilization.
Virtual machines use the Hardware provided isolation in most cases and container uses the name spaces to provide the isolation.