Containers and VMs
What is the difference between a container and a virtual machine?
Both containers and virtual machines revolve around the idea of virtualization, but they vary in the depth of that virtualization. The biggest difference is that a virtual machine contains a virtualized version of the operating system, as well as the application and dependencies for an application. While this can lead to multiple-gigabyte VMs — compared to the scant few megabytes of a typical container — virtual machines still have their uses. A single server can run a number of virtual machines at the same time, each with its own operating system. An enterprise can run Windows, Unix and Linux servers simultaneously on the same piece of hardware, for example.
Containers can’t do this, as all the containers running on one device share a single operating system. Consequently, containers are best suited for an environment that doesn’t require multiple OSes.
What are the advantages of using containers instead of virtual machines?
Compared to virtual machines, containers are:
- Faster to launch
- Easier to maintain
- More portable
Their smaller size leads to what is arguably the biggest advantage of the container: speed. A typical VM can take minutes to launch, while a container often spins up in a few seconds. With containers, the process of launching a few dozen applications simultaneously is almost negligible. With virtual machines, the process could take an hour or more — and may involve multiple pieces of hardware.
Because a virtual machine’s operating system is embedded, managing it can be complex and time-consuming. Data center administrators will have to patch host operating systems — possibly a variety that may require different tools and expertise. Keeping track of everything in a complex VM environment, such as VMware or others, can be difficult, but containers can ease this challenge by allowing you to manage a single OS environment.
Finally, virtual machines are difficult to move between cloud (public cloud and private cloud) and on-premises environments with physical servers. Containers, however, are easier for you to develop in one environment and then deploy in another.
How secure are containers?
Containers aren’t inherently more or less secure than non-containerized environments, but containers do introduce some new security challenges. Much of this is due to the novel complexity of the typical container. Because container images include system libraries and other dependent files and file systems, vulnerabilities are common. An analysis of 1,000 of the most popular Docker containers found a variety of security vulnerabilities in each — many of which were critical. Consequently, containers have developed a reputation for being insecure.
The bottom line is that while containers aren’t fundamentally insecure, you need to develop and manage them with the same attention to security as any other computing environment.
Are containers more secure than VMs?
The security of both VMs and containers depends on many factors, including how you manage the technologies. Because security is not a readily quantifiable or measurable metric, it’s impossible to compare the two technologies directly.
When properly developed and managed, containers can be quite secure environments. As noted in the section above, containers are more complex than virtual machines, and while VMs operate in strict isolation, containers can sometimes interact in unexpected ways with one another, possibly compounding security challenges. Also, you have to consider the security of the container’s host OS. A secure container running on an insecure host platform is just as risky as an insecure container.
Containers and the Cloud
What is a cloud container?
A cloud container is a container that is running on a cloud-native service, as opposed to in an on-premises environment. Containers work in either type of environment, but a cloud-native ecosystem generally gives an enterprise more flexibility and allows teams to configure and operate the containers with less overhead than in an on-premises environment. Many cloud service providers also include web-based monitoring tools that make it easier to keep tabs on container operations, application development and performance.
Containers-as-a-Service, or CaaS, is a conceptual operating model that allows an enterprise to contract with a cloud-based service provider to create and manage containers. It’s similar to other “as-a-Service” models, including Software-as-a-Service or Platform-as-a-Service, wherein reusable software components are spun up on demand in real time. In a CaaS environment, a service provider offers a complete, cloud-native framework in which you can operate containers and their related components. CaaS providers generally also offer monitoring tools so customers receive better visibility into their container operations.
The major benefit of a Containers-as-a-Service model is that it makes building and deploying containers simpler and faster. Because the service provider takes on container management, the customer can instead focus on the content of the containers themselves, which more directly impacts the business’ bottom line.
What is container monitoring?
You must monitor containers to make sure they’re performing as expected. When compared to traditionally developed software, containers create several layers of abstraction between the application and the underlying platform. This requires purpose-built tools and makes conventional monitoring challenging for DevOps professionals. Container environments are often deployed on a massive scale, making traditional monitoring even more difficult. To do it properly, you need a sophisticated visualization system that allows you to monitor containers both individually and in the aggregate. This type of monitoring system allows developers and DevOps professionals to locate problems and unearth performance and activity trends that would otherwise remain elusive within their container ecosystem.
Types of Containers
What is a Linux container?
Linux containers are open source technologies, provided by Red Hat and other vendors, that allow developers to package and isolate applications with the entire container runtime environment. Since they have all the files necessary to run, the contained application can move seamlessly among environments, including testing, development and production. This portability makes Linux containers much faster and more efficient to use than traditional development pipelines that rely on replicating testing environments. As such, you can apply Linux containers to many different problems when portability, configuration and isolation are required. Their ease of use has also made them critical to numerous IT security initiatives.
There are numerous implementations of Linux containers, which are based on mechanisms provided by the Linux kernel, specifically Linux namespaces and cgroups. These include:
- Kata Containers
What is Docker?
Developed in 2013, Docker is the industry-standard container platform for building, deploying and managing container-based applications, while making it easier to work with containers throughout the development lifecycle. Docker Engine allows you to build a containerized environment; it handles the interaction between the operating system or virtual machine on which the containers run. Docker Desktop includes tools to develop containers and Docker images, which are applications that run the container code.
Is Docker a microservice?
Docker in itself is not a microservice, but it allows you to create and operate microservices, which are a key sub-component of containers. Another way to think of it: Microservices generally are incorporated within containers, and containers encapsulate the required infrastructure.
What is Kubernetes?
Kubernetes is a popular open source container management system, also known as a container orchestration platform, used to schedule, manage and scale containers. Kubernetes includes features to deploy containers to specific hosts, load balancing containers when traffic becomes heavy, restart containers when they fail and automatically roll back code in the event of a major incident.
In most environments, both the Docker and Kubernetes platforms coexist. Kubernetes typically relies on Docker to package and run containers, with Docker as the tool for building containers and Kubernetes as the platform for orchestrating them as a group. Kubernetes has gained popularity, increasingly displacing Docker’s orchestration tools, because it particularly excels at two things: scaling a large number of containers efficiently and ensuring high availability during operation.
Is Kubernetes a microservice?
Like Docker, Kubernetes is not a microservice, but it is instrumental in orchestrating microservice-containing containers.
What are Azure containers?
Azure is Microsoft’s cloud computing service, and Azure containers are container instances that run on the Microsoft platform. Microsoft’s simplest container system is Azure Container Instances (ACI), which is designed to let users run Docker container images on demand in a managed, serverless environment. Microsoft touts Azure Container Instances as being the fastest and simplest way to deploy containers in Azure when orchestration is not required. You can use the more full-featured Azure Kubernetes Service (AKS) for complex applications that require multiple containers, scaling and coordinated upgrades.
What is Amazon ECR?
Like Microsoft, Amazon has multiple container-oriented offerings, the simplest of which is Amazon Elastic Container Registry (ECR), a managed Docker system that gives developers an environment for storing, deploying and managing their Docker images. Container images are stored on Amazon’s S3 storage infrastructure, and data is automatically encrypted and backed up to multiple locations. ECR also supports identity and access management for more complex development environments. Amazon ECR is by default designed to integrate with Amazon ECS, which we’ll discuss in the next section.
What is Amazon ECS?
Amazon Elastic Container Service (ECS) is an orchestration system similar to Kubernetes, except that ECS is proprietary and unique to Amazon. While Amazon ECR is used to store, encrypt and manage container images, Amazon ECS is for running those containerized applications. Amazon developed ECS to integrate tightly with other AWS services and it’s generally considered to be simpler and cheaper to use than Amazon EKS (see below). ECS is often a natural container orchestration choice for long-term AWS users who have already built out their own scaling functions and who don’t mind being locked into the proprietary platform.
What is Amazon EKS?
Amazon Elastic Kubernetes Service (EKS) is Amazon’s cloud-based Kubernetes offering for container orchestration. It’s similar to ECS, except that instead of using Amazon’s proprietary service, EKS users have full access to an open source Kubernetes platform running on their own servers or on another cloud service. Many Amazon customers have adopted EKS in order to avoid vendor lock-in that would prevent them from migrating their containers to other services. EKS also offers higher-end features than ECS, including the ability to support a significantly larger number of container images, although these capabilities are more expensive and require more effort to manage, configure and secure.
Users considering Amazon EKS and ECS will need to choose one or the other, not both.
What is AWS Fargate?
AWS Fargate is a serverless compute engine for containers, a true Container-as-a-Service system that lets users deploy containers without regard for the underlying server platform. It works with both Amazon ECS and Amazon EKS, and removes the need for the user to provision and manage servers in these environments. Instead, Fargate lets users pay as they go for server resources, so they can scale a container environment seamlessly. In fact, Fargate is designed to eliminate the need for server management altogether, including patching, scaling and sizing machines. In other words, it turns your virtual machines into a monolithic pool of resources that you can use without having to worry about capacity management or other server-side issues.
What is Amazon EC2?
Amazon Elastic Compute Cloud (EC2), a more common alternative to Fargate, is a popular cloud-based model for running containers and other applications on AWS. EC2 is more accurately described as Infrastructure-as-a-Service because it’s not specifically built around the provision of container services (though it’s commonly used that way). EC2, which has been around for more than 14 years, is known for its massive user base, including Amazon’s own retail website, which was migrated to EC2 in 2010. As one of the most widespread and mature cloud computing platforms in the industry today, EC2 use cases are endlessly variable. As such, it makes for a natural platform for operating just about any type of container or virtual machine environment.
What is AWS App2Container?
AWS App2Container (sometimes written as A2C) is a tool that developers can use to containerize existing applications and prepare them for use with Amazon’s cloud-based container services. The goal with App2Container is to help users move away from traditional, monolithic, server-based workloads without having to rewrite their code from scratch. App2Container is a command-line tool that automates this conversion (also known as refactoring), working with .Net and Java applications. A2C is available free of charge to AWS users.
What is AWS Copilot?
AWS Copilot is a command line tool that allows AWS users to launch and manage their containerized applications on the ECS and Fargate platforms. With it, users can automate the creation of their container infrastructure and its dependencies when launching a containerized application. A Copilot user creates code that defines a series of actions to deploy a production environment and launch containers on AWS, and the tool handles details such as load balancing, stateful data storage and other components in the background.
The move from traditional software and virtual machines to containers is well underway. Grand View Research valued the container market at $1.5 billion in 2018 and estimated the industry would see a growth rate of 26.5% through 2025. Allied Market Research estimated an even more aggressive growth rate of 31.8% over that same time period, and expects container technology to hit $8.2 billion in value by 2025.
If your application architecture hasn’t made the move to containers already, it’s critical to get started soon. The good news is that cloud service providers are actively helping customers make this shift by offering tools and tutorials that ease container development, deployment and conversion. While container technology may never fully supplant virtual machines, every enterprise will need to invest in container technology in the near future to optimize their environment and maintain a competitive edge.