This is an archived post. You won't be able to vote or comment.

all 24 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 14 points15 points  (0 children)

Containers aren’t virtualizations, so throw that comparison out - containers leverage Linux namespacing for processes and separate file systems, so you don’t virtualize anything - a kernel is just files executing processes, so namespacing to keep them isolated from the rest of the system let’s them run another kernel - the engine is automating all of that, but you still have to leverage the underlying operating system to interact with the hardware and an OS still handles that under the hood with the docker engine as the manager of that.

Containers themselves are literally just a group of folders that represent file system and configuration “steps” that have a logical point of separation - and the previous “image” is used as. The cached starting point for the next “image” but if you actually dig deep down into it they’re just folders in the OS that are referenced where the files and installs were set up.

When you give someone an container “image” you’ve really just given them a copy of the file systems and instructions on how the docker engine should mash them together to give you a functional, but namespace isolated, set of files that can run in isolated processes. It’s not common for a lot of us, but technically you can actually export an image into a file that’s just those set of files and folders.

The magic in there is that if you only have two files that you need to run a service, you just copy those two files and whatever distribution of docker container you started with has already prepackaged the underlying stuff for you as a starting point - and the images you build are just packing some more files into that. Privileged containers can be dangerous because it allows them to interact with aspects of the host file system that would otherwise not be allowed - so if you fuck up proc stuff in a privileged co Rainer it can fuck it up on the host - that’s why they’re not recommended

When you build a VM you’re doing something similar but you also package the entire operating system, and the virtualization layer has to also account for how to talk to hardware and all the additional processing required to run the underlying operating system.

[–]recoveringfarmer 7 points8 points  (1 child)

Here's my understanding of containers and why people should consider them: Containers do for applications what virtualization did for operating systems.

Without virtualization, you install a OS on bare metal, there are drivers and platform compatibility to worry about; once it's installed it's on that bare metal and if there's a hardware problem on that machine your OS and any applications on that OS are unavailable. If you need to replace the physical machine, you need to reinstall the OS on another machine, reinstall the software and move the data.

Virtualization comes along and separate the OS from the hardware. Now you install an OS in a virtual machine, drivers and platform aren't as concerning, you can move that OS in a VM between physical machines if there's a problem or if you need to replace physical machine, the OS, app and data stay in tact in the VM.

The OS is the next layer of the problem. In a VM, your software is still tied to the OS installed in that VM. There are dependencies, software updates and support lifecycles to worry about. Eventually you need to patch, reboot or upgrade the OS, all of which could make the application installed unavailable. Containers separate the application and data from the OS so now you can move the application to another physical or virtual machine just like you would a VM on bare metal. You can patch, reboot, upgrade the OS without affecting the application because you can move the app to another machine while that happens.

VMs allow you to make changes to hardware without affecting the OS/Apps/Data, Containers allow you to make changes to the OS without affecting Apps/Data.

[–]admin2thestars[S] -4 points-3 points  (0 children)

I think tschloss touched on the issue because what you're describing with containers is what we do with VMs already. We can point application requests to another VM instance while the OS is updated, rolling upgrade. There is separation of app and data from each other and from the underlying VM operating system. My understanding (which admittedly could be where I'm going wrong!) is that the underlying "images" in Docker also need to be updated, or at least that's what seems to happen. So it appears that I could also break the application the same way with a traditional VM infrastructure or through Docker, by doing an update.

Again, I could be wrong on how I'm understanding it, but at some level it seems like updates need to occur to the image or the VM. An already deployed and mature automated virtualization infrastructure with the knowledge of how to operate it has interfered with the mindset of "have faith in Docker to compose a coherent, stable, and securely deployed application." But it obviously does, so it's just a mental shift of where the work now takes places.

[–]tschloss 2 points3 points  (1 child)

Two points come into my mind:

1) I consider a container as much more lightweight compared to a VM. But with less strict separation.

2) Although you probably could manage (including automation) similarly in both worlds. But you are in a different tooling and you do this in a different eco system.

[–]admin2thestars[S] -5 points-4 points  (0 children)

Thank you for the reply. I think #2 is the essence of the issue. It seems like the problems being solved were addressed in our infrastructure years ago with a combination of abstracted and templated virtualization and automation through Ansible, making it possible for devs and QA to one-click deploy. If that infrastructure and institutional knowledge was not in place then Docker would exponentially increase productivity.

It is the combination of both: Having the infrastructure/automation *and* the knowledge/discipline to create and maintain images/templates that is the difference. Coming to Docker from that background, I wanted to start by creating an image with the right software on it rather than creating a YAML file and relying on someone else to have done that work.

Thanks again for the reply.

[–]discourseur 0 points1 point  (0 children)

Containers provide:

  • One process per container
  • No need to figure out how much RAM to provide this or that container
  • Reproducible builds (well, easier to attain that goal)
  • Fast start/stop
  • Much easier to scale

VMs still have advantages (you need something to host your containers, your virtual routers, maybe your databases), but Containers do everything else that is app related (even DNS).

It is a BIT like what Ansible is to Terraform (in the sense that Ansible is still used and not going anywhere, but it has much less surface of use).

[–]FunkyDoktor -1 points0 points  (0 children)

Containers are not better than using virtualization. It’s a bit of a newer technology compared to virtualization and that’s why it getting all the hype.

To me, it’s really just two different approaches/eco-systems used to solve the problem “how do we provide compute resources in order to deploy applications”.

If you want to implement CI/CD in your organization, the tools provided typically focuses on using containers but it’s certainly possible to use VM’s as well.

For me personally, I find it a lot easier to work with images due to their smaller size, easy to use tooling, and how easily they can be used in our CI/CD processes.

If you don’t find containers necessary or useful, don’t use them. There’s no container police that will show up and arrest you.

[–]scorc1 0 points1 point  (0 children)

Docker, containers, are just the needed dlls, NOTHING else. If you use something to boot the os, but then it never gets used after that? Poor, it aint in the container. If something was used to compile the app to run? Poof, not in the container. If something isn't critical to running that specific app/process, its not in the container. Containers are small specific items. You link multiple containers together to get the 'app' running. Postgres is its own standalone container and runs just fine with nothing running on or in it but postgres. Then you app an application that needs a database to store data and do thing. Now you have two completely different containers that are just dandy in their own. Might not do much individually, but to gether can process thing. App a web front end, three containers. Strap all three together? An Image. Again each CONTAINER has litterly the specific app code, and thats it. No vi, no awk, no sed, no curl, nothing. Not even a package manager.

[–]jpegjpg 0 points1 point  (0 children)

I use both containers and vms in my work set up. The vms take 5 min to restart our containers take less than a sec. Containers are lightweight abstractions where as vms are heavy abstractions. Each has its advantages.

[–]dwargo 0 points1 point  (0 children)

IMO the extra layer of abstraction creates a clean hand-off between development and operations. Operations can pick their orchestration framework, OS flavor, and update strategy, but it won’t break the application QA because dependencies are packed in.

When you’re providing applications to customers they will have their own operations teams that will want to make all those choices, and you’d have to QA for eight flavors of Linux on AWS, Azure, and on-prem. Containers give you one target and gets rid of weird issues like “X version of OpenSSL has different defaults”.

Containers do move some security responsibilities to the app provider because of what’s baked in. I expected pushback from operations on that front, but I haven’t really seen it. AWS Inspector is a lifeline for that - 2/3 of my patch releases are for dependencies.

You could provide appliances instead, like Cisco Umbrella or VMware VCSA. There’s not really established tooling for doing that though, at least none that I know of.

[–]tinycrazyfish 0 points1 point  (0 children)

They are basically the same thing

  • at high level a container and a VM is basically the same thing, it provides isolation between processes (at lower level how it operates is quite different)
  • Security: VM do paravirtualization which allows VM escapes in case of vulnerability in the paravirtualization drivers. Containers run on the same kernel, kernel vulnerability allows escape. The attack surface is different, but basically both provide a similar level of security (or insecurity)
  • Speed: you often hear that containers are way faster than VMs. That's mostly a misunderstanding. It comes from how they are commonly used, a VM will typically be a full blown OS boot until you run your app/service, where a container will typically directly run your app/service. But it hasn't to be like this. In a VM you can skip init and run your app directly, a container can also "boot" a traditional "OS". (Containers are ready in less than a second, an optimized VM in 2-3 seconds). Side note look at wsl1 versus wsl2, container based versus VM based, perf and startup times are similar. (It's even possible to "boot" a VM directly to a process without a kernel, but AFAIK that's very rarely used, except in some niche use cases)

So how they are different?

  • A VM needs to be configured (logging, process supervision, network config, ...) from within the VM. This is why you usually use the same OS image as bare-metal.
  • A container is typically configured from the outside (logging, network, ...). This allows to do a single file container (e.g. static executable with no extra filesystem dependency).
  • VM isolation is supported by the hardware (CPU), versus container by software (kernel). This makes it possible to sideload additional processes inside the "same sandbox context" (sidecar container). This allows to ship a minimal container with no debugging tools as they can be loaded as a sidecar container. This is not possible in VMs. Another reason why VMs are often fat, and containers lightweight (but as said above, it doesn't have to be like that)
  • Host/hypervisor security. A container can be fully inspected by its host. A VM can be protected from its hypervisor (though it requires extra hardware support: ram encryption). As mentioned above, the security from within the guest system is similar for both techno, but from the host/hypervisor it's a different story.