logo

Containers vs Virtual Machines (VMs)

  • VM: virtual machine, a full image of a source machine, including the OS, disk config, network and even virtual processors.
  • Containers: virtual environment, lite VM.

VM vs (Traditional) Container vs Sandboxed Container

VM: On top of Hypervisor, and each VM has its own guest OS

     VM1        VM2
|----------|----------|
|   App    |   App    |
|==========|==========| => System Calls
|  Guest   |  Guest   |
|  Kernel  |  Kernel  |
|----------|----------|
| Virtual  | Virtual  |
| Hardware | Hardware |
|----------|----------|
|   Hypervisor(VMM)   |
|=====================| => System Calls
|     Host Kernel     |
|---------------------|
|    Host Hardware    |
|---------------------|

Traditional Container (e.g. Docker, LXC): Operating system level virtualization. The kernel imposes limits on resources, implemented through use of cgroups and namespaces. Share the host OS kernel.

|----------|----------|
|   App    |   App    |
|----------|----------|
|   Container Layer   |
|---------------------|
|     Host Kernel     |
|---------------------|
|    Host Hardware    |
|---------------------|

Sandboxed Container (e.g. Google gVisor, Amazon Firecracker, IBM Nabla): provides a user-space kernel, to avoid sys calls to the host kernel, which reduces the attack surface.

|----------|----------|
|   App    |   App    |
|==========|==========| => System Calls
|        gVisor       |
|=====================| => Limited System Calls
|     Host Kernel     |
|---------------------|
|    Host Hardware    |
|---------------------|
logo
PRIVACY POLICYABOUT中文