[Answer] What’s the Difference Between Container Virtualization and Traditional Virtualization, and How Should You Choose?

[Answer] What’s the Difference Between Container Virtualization and Traditional Virtualization, and How Should You Choose?

1. The Difference Between Virtual Machines (VMs) and Containers

VMs and containers are both virtualization technologies used to provide independent and portable computing environments for applications and services:

• A VM simulates an entire computer, including virtualized hardware, the operating system, user mode, and its own kernel mode. VMs are highly flexible and can provide broad support for applications; however, they are often relatively large and consume more host resources.
• Containers, as mentioned earlier, are built on top of the host operating system kernel and package isolated user-mode processes for applications. This makes containers lightweight and fast to start.

2. Similarities and Differences Between VMs and Containers

The table below summarizes the similarities and differences between VMs and containers in terms of functionality. Containers are often provisioned inside highly optimized VMs to provide enhanced isolation and security.

3. Advantages of Containers

In summary, containers offer the following advantages:

• They require relatively fewer resources. Compared with VMs, they consume less.
• They start quickly. Container startup time is roughly equivalent to the time required to launch a new process.
• They improve server density. Compared with VMs, containers make more efficient use of available hardware memory, disk, and CPU resources. This reduces idle servers and improves utilization of existing compute resources. This is especially important for cloud providers and users, as it helps lower costs.

The diagram below compares isolation and efficiency among physical computers, VMs, containers, and processes:

• Physical computers provide the highest level of isolation. Isolation decreases in the order of VMs, containers, and processes.
• Processes provide the highest efficiency and therefore potentially the greatest density. Efficiency decreases in the order of containers, VMs, and physical computers.
• The kernel and system resources (such as the file system) may be shared:
• VMs share only hardware.
• Containers share hardware and the kernel (except Windows Hyper-V containers, which do not share the kernel).
• Processes share hardware, the kernel, and system resources.
• Physical computers share nothing.

For persistent storage, you can use a bind mount to mount a location from the local machine. Files in that location will remain available when the container restarts or when files need to be shared across multiple containers. If you want a container to run across multiple machines while accessing the same files, you should use a named volume or an SMB mount instead. Do not bind mount sensitive directories (such as C:\) into untrusted containers. Doing so may allow an untrusted container to modify files on the host that it would not normally be able to access, creating potential security vulnerabilities.

4. Choosing Between VMs and Containers

4.1 When to Choose a VM

Use a VM in the following cases:

• You need to manage multiple operating systems.
• You need to run an application that requires all the resources and services of a full OS, such as a graphical user interface (GUI).
• You need an environment where changes can be preserved persistently.
• You need complete isolation and security.

4.2 When to Choose a Container

Use a container in the following cases:

• You need a lightweight application package that starts quickly.
• You need to deploy multiple instances of a single application.
• You need to run non-persistent applications or processes on demand.
• You need to deploy applications that can run on any underlying infrastructure.

5. Isolation Modes for Windows Containers

Docker containers were originally only able to run on Linux and macOS, and support on Windows was not very stable. However, support for Docker has been significantly improved in newer versions such as Windows 10 Pro and Windows Server 2019, making it suitable for production scenarios. On Windows Server, Docker containers can run in two modes: Windows Server process isolation and Hyper-V isolation. These two isolation modes also correspond to the default modes used by the first and second generations of WSL (Windows Subsystem for Linux).

5.1 Process Isolation Mode for Windows Server Containers

As the traditional isolation mode for Windows Server containers, process isolation allows multiple container instances to run simultaneously on the host. In this mode, containers share the same kernel with each other and with the host OS. Each provisioned container has its own user mode, allowing Windows and application processes to run independently from other containers. When Windows containers are configured to use process isolation, multiple applications can run in isolation on the same machine, but this mode does not provide security-hardened isolation.

Docker is a collection of open-source tools, solutions, and cloud-based services that provide a common model for packaging application code—also known as containerization—into standardized units for software development. When starting a new container, Docker communicates with the compute service to create a new container based on an image. For each container, Docker creates a Windows container. Each Windows container requires a set of system processes that are always the same across containers. Individual containers are then distinguished by their own application processes. For example, this can be done using Microsoft Internet Information Services (IIS) or a SQL Server process running inside the container.

5.2 Hyper-V Isolation Mode for Hyper-V Containers

When containers share a kernel and memory, a vulnerability in the Windows OS could allow an application to escape its sandbox and unintentionally perform malicious actions. To avoid this, Windows provides a more secure way to run containers, known as Hyper-V isolation mode, sometimes also called Hyper-V containers.

In Hyper-V isolation mode, each container runs inside a highly optimized VM. One advantage of Hyper-V isolation is that each container effectively has its own kernel, providing an enhanced level of stability and security. The VM adds an extra hardware-level layer of isolation between each container and the host. At deployment time, containers using Hyper-V isolation can start within seconds, which is still much faster than a full VM running a complete Windows OS. On Windows Server, Windows-based containers use process isolation by default. On Windows 10 Pro and Enterprise, Windows-based containers use Hyper-V isolation by default.

The diagram below compares the architecture of Windows Server containers and Hyper-V containers, as well as their two isolation modes. It shows that the host Windows kernel is shared by host user mode and Windows Server containers. Running on top of this shared kernel is a virtual machine containing a Hyper-V container. The Hyper-V container has its own Windows kernel, which is not shared.

Process isolation mode on Windows 10 is intended only for development and testing. Starting with the Windows 10 October 2018 Update, users running Windows 10 Pro or Enterprise can run Windows containers in process isolation mode. Users must explicitly request process isolation using the --isolation=process parameter. The host must be running Windows 10 build 17763 or later, and Docker version 18.09 or later must be installed.

Because Windows Server containers and the host operating system share the same kernel, you must ensure that the host version matches the container image version tag. Otherwise, the container may fail to start or exhibit undefined behavior.

5.3 Specifying Isolation Mode with Docker Commands

When creating a container with Docker, you can use the --isolation parameter to specify the isolation mode, either process isolation or Hyper-V isolation. Use the following commands to create a container with process isolation or Hyper-V isolation:

docker run -it --isolation=process mcr.microsoft.com/windows/servercore:ltsc2019 cmd
docker run -it --isolation=hyperv mcr.microsoft.com/windows/servercore:ltsc2019 cmd