With the current trend towards "Containers" as opposed to "Virtual Machines", I've had a few people asking what the difference was, and where you might use one over the other.I hope to keep this brief, but...
Both Containers and Virtual Machines have been around for quite some time. Mainframe and Commercial UNIX have had terms like LPAR for Logical Partition (Representing VM) and WPAR for Workload Partition (Representing Containers) for over a decade (Mainframe since 1972!!!).
UNIX/Linux have used "chroot" filesystems (otherwise known as "chroot jail") for years to secure running processes such as a web server or database server. The earliest implementation of "containers" was the 1979 introduction of chroot into UNIX Version 7.
Currently chroot is a part of just about every major distribution of Linux.
________________________________________________________________________________
In very high level terms, a Virtual Machine or Hypervisor (such as VMWare, Hyper-V, KVM, VirtualBox, and Xen) is designed to emulate an entire physical computer including the various hardware abstraction required for networking, video, audio, etc...
In a word, VMs are FAT!
 |
| Via Accenture: |
A container on the other hand ( Docker, Parallels , CoreOS, chroot, ...) runs on top of an existing kernel, leveraging resources form the kernel, and merely presents a virtual userspace with separate filesystem, CPU, memory and protected processes.
Without having to emulate the underlying hardware, you can pack 3-4 times as many containers into the same resource pool as a single Virtual Machine.
So why would I use Virtual Machines, if Containers are just as good?
Well, because a Virtual Machine abstracts the ENTIRE hardware platform, there's evidence that it is better suited to defined network segregation.
You could, for instance, define a Virtual Machine to represent your web application in it's entirety, then within that VM, create containers for the web, app, and database tiers. The containers would provide logical segregation between the tiers, and the VM would protect the entire application from other apps in the DMZ.
Virtual Machines also allow you to run completely different Operating Systems simultaneously on the same hardware. For instance, on your Ubuntu Laptop, you could use Virtualbox, to simultaneously run Windows 8.1 and OSX.
Or, on your server, you could simultaneously run Redhat Linux, Windows Server 2008, and Windows Server 2012.
A containerized system, as mentioned above, runs all containers off of the same Operating System Kernel.
And by far the biggest benefit of Containers over Virtual Machines is speed of launch. A Virtual Machine is, for all intents and purposes, a complete computer Operating System. On boot, it has to run through all of the legacy boot processes...
A Container launches on an already running kernel. A full containerized application can launch in a fraction of a second (restricted only by I/O) whereas that same app launched within a Hypervisor context could be from tens of seconds to potentially a minute or more depending on boot requirements.
Edit: (04/28/2015)
Bromium is an newcomer to the virtualization space, and one to watch carefully. Based on a fork of the Xen hypervisor, Bromium relies heavily on Intel's hardware virtualization for isolation.
Unlike either of the above Hypervisor or Container approaches, Bromium isolates specific services in Windows, such as launching an application, downloading an email attachment, or clicking a hyper link in a browser. When these activities are identified, Bromium creates a small task-specific "Microvisor" to encapsulate and segregate only the resources required for that task. Mandatory Access Control policies ensure protection of the underlying Operating System, as well as any other apps running on the host.
When NSS Labs tested the Bromium architecture, it achieved a perfect score in defeating all malware, as well as manual and scripted attempts at penetration.
References:
VMware just created its first Linux OS, and it’s container-friendly
Why Containers Instead of Hypervisors?
WPARs Vs LPARs
IBM Systems Magazine: An LPAR Review
Wikipedia: Workload Partitions
Wikipedia: Virtual machine
Wikipedia: Operating-system-level virtualization
Wikipedia: Chroot
Best Practices for UNIX chroot() Operations
Ubuntu: Basic chroot
BELL LABS: UNIX (TM) TIME-SHARING SYSTEM: UNIX PROGRAMMER’S MANUAL Version 7
LinuxContainers.org (LXC)
Containers—Not Virtual Machines—Are the Future Cloud
Contain your enthusiasm - Part One: a history of operating system containers
Docker
Accenture: Inspiration through Elevation: Simplified Configuration Management with Docker
Gartner: Virtualization, Containers and Other Sandboxing Techniques Should be on Your Radar Screen
Bromium vSentry Sets New Standard for Security Effectiveness
NSSLABS: Threat Isolation Technology Test Report: Bromium vSentry
Bromium: Micro-virtualization for the Security Architect
No comments:
Post a Comment