Docker, Kubernetes, and even Windows Server Containers have seen a huge rise in popularity the last few years. With the application container market having a projected CAGR (Compound Annual Growth Rate) of 32.9% between 2018 to 2023, we can expect that trend to continue. Containers have a huge impact on application delivery and are a real game changer for DevOps teams.
However, despite the popularity of containerization, there is still significant confusion and misunderstanding about how containers work and the difference between containers and virtual machines. This also leads to ambiguity in how to properly secure infrastructure that uses containers.
In this piece, we’ll provide a crash course on containers vs virtual machines by comparing the two, describing some common use cases for both, and providing some insights to help you keep both your virtual machines and containers secure.
What are Virtual Machines?
VMware’s description of a virtual machine as a “software computer” is a succinct way to describe the concept. A virtual machine is effectively an operating system or other similar computing environment that runs on top of software (a hypervisor) as opposed to directly on top of bare metal computer hardware (e.g. a server).
To better conceptualize what a virtual machine is, it’s useful to understand what a hypervisor is. A hypervisor is a special type of operating system that enables a single physical computer or server to run multiple virtual machines with different operating systems. The virtual machines are logically isolated from one another and the hypervisor virtualizes the underlying hardware and gives the virtual machines virtual compute resources (CPU, RAM, Storage, etc.) to work with. Two of the most popular hypervisors today are Windows HyperV and VMware’s ESXi.
In short, hypervisors abstract away the hardware layer so virtual machines can run independent of the underlying hardware resources. This technology has enabled huge strides in virtualization and cloud computing over the last two decades.
Note: If you’re interested in learning more about the nuts and bolts of hypervisors, it is important to note that what we’ve described here is a “Type 1” hypervisor. There are also “Type 2” hypervisors (e.g. Virtual Box or VMware Fusion) that can run on-top of standard operating systems (e.g. Windows 10).
What are Containers?
A container is a means of packaging an application and all its dependencies into a single unit that can run anywhere the corresponding container engine is. To conceptualize this, we can compare what a container engine does for containers to what a hypervisor does for virtual machines. While a hypervisor abstracts away hardware for the virtual machines so they can run an operating system, a container engine abstracts away an operating system so containers can run applications.
If you’re new to the world of containers and containerization, there is likely a ton of new terminology you need to get up to speed on, so here is a quick reference:
- Docker. One of the biggest players in the world of containers and makers of the Docker Engine. However, there are many other options for using containers such as LXC Linux Containers and CoreOS rkt.
- Kubernetes. A popular orchestration system for managing containers. Kubernetes will often be written as “K8s” for short. Other less popular orchestration tools include Docker Swarm and Apache Marathon.
- Cluster. A group of containers that has a “master” machine that enables orchestration and one or more worker machines that actually run pods.
- Pods. Pods are one or more containers in a cluster with shared resources that are deployed for a specific purpose.
Understanding the differences between containers vs virtual machines becomes easier when you view them from the standpoint of what is being abstracted away to provide the technology. With virtual machines, you’re abstracting away the hardware that would have previously been provided by a server and running your operating system. With containers you’re abstracting away the operating system that has been provided by your virtual machine (or server) and running your application (e.g. MySQL, Apache, NGINX, etc.).
Use Cases for Containers vs Virtual Machines
At this point, you may be asking: “why bother with containers if I already have virtual machines”? While that is a common thought process, it’s important to understand that each technology has valid use cases and there is plenty of room for both in the modern data center.
Many of the benefits of containers stem from the fact they only include the binaries, libraries, other required dependencies, and your app – no other overhead. It should be noted that all containers on the same host share the same operating system kernel. This makes them significantly smaller than virtual machines and more lightweight. As a result, containers boot quicker, ease application delivery, and help maximize efficient utilization of server resources. This means containers make sense for use cases such as:
- Web applications
- DevOps testing
- Maximization of the amount of apps you can deploy per server
Virtual machines on the other hand are larger and boot slower, but they are logically isolated from one another (with their own kernel) and can run multiple applications if needed. They also give you all the benefits of a full-blown operating system. This means virtual machines make sense for use cases such as:
- Running multiple applications together
- Monolithic applications
- Complete logical isolation between apps
- Legacy apps that require old operating systems
It’s also important to note that the topic of containers vs virtual machines is not zero-sum and the two can be used together. For example, you can install the Ubuntu Operating System on a virtual machine, install the Docker Engine on Ubuntu, and then run containers on top of the Docker Engine.
Security Challenges of Containers vs Virtual Machines
As data centers and hybrid cloud infrastructures integrate containers into an already complex ecosystem that includes virtual machines running on-premises and a variety of cloud services providers, keeping up with security can be difficult.
While virtual machines do offer logical isolation of kernels, there are still a myriad of challenges associated with virtual machines including: limited visibility to virtual networks, sprawl leading to expanded attack surfaces, and hypervisor security. These problems only become more magnified as your infrastructure scales and becomes more complex. Without the proper tools, adequate visibility and security is more challenging.
This is where Guardicore Centra can help. Centra enables enterprises to gain process-level visibility over the entirety of their infrastructure, whether virtual machines are deployed on-premises, in the cloud, or a mixture of both. Further, microsegmentation helps limit the spread of threats and meet compliance requirements.
Micro-segmentation is particularly important when you begin to consider the challenges associated with container security. Containers running on the same operating system share the same kernel. This means that a single compromised container could lead to the host operating system and all the other containers on the host being compromised as well. Micro-segmentation can help limit the lateral movement of breaches and further harden a hybrid cloud infrastructure that uses containers.
Interested in Learning More About Securing Your Infrastructure?
That was our quick “cheat sheet” regarding containers vs virtual machines. We hope you enjoyed it! If you’d like to learn more about Docker security, check out our 5 Docker Security Best Practices to Avoid Breaches article. To learn more about securing modern infrastructure, check out our white paper on securing modern data centers and clouds. If you’d like to learn more about how Centra can help secure your hybrid cloud infrastructure, contact us today.