Containerization technology and virtualization technology are both used to isolate applications from underlying infrastructure. They both have advantages such as improving resource utilization, simplifying application deployment and management, etc. The main difference between the two is that virtualization technology virtualizes at the hardware level, while containerization technology virtualizes at the operating system level. Virtualization technology achieves virtualization by creating a virtual machine (VM). A VM is a software program that simulates a physical computer. The VM has its own operating system, CPU, memory, storage, and network resources. Containerization technology achieves virtualization by creating a container. A container is a lightweight virtualized environment that shares the host's operating system kernel. Containers contain application code, runtime environments, dependencies, etc.
Architecture Analysis#
Virtualization technology decouples virtual machines from underlying hardware through a hypervisor, and virtual machines rely on the hypervisor layer. The hypervisor, also known as a virtual machine monitor (VMM), is an intermediate software layer that runs between the underlying physical server and the operating system. It allows multiple operating systems and applications to share hardware resources. Hypervisor virtual machines can simulate machine hardware resources, coordinate virtual machine access to hardware resources, and provide isolation between virtual machines. Each virtual machine includes the application being executed, the binary and library resources it depends on, and a complete operating system. Once a virtual machine is running, all the resources allocated to it will be fully occupied.
Containers, on the other hand, are different from virtual machines. Containers only contain applications and dependent libraries, providing an isolated runtime environment for applications. Containers share the same underlying operating system kernel. The core of container technology is how to limit resources within containers and isolate different containers, which is based on Linux's Namespace and CGroups technologies.
The purpose of Namespace is to abstractly make processes within the Namespace appear to have their own isolated global system resource instances.
The Linux kernel implements six types of Namespaces: Mount namespaces, UTS namespaces, IPC namespaces, PID namespaces, Network namespaces, User namespaces. Their functions are respectively: isolating file systems, defining hostnames and domain names, specific inter-process communication resources, independent process ID structures, independent network devices, and user and group ID spaces.
Taking Docker, the representative of containerization technology, as an example, when Docker creates a container, it creates instances of these six Namespaces and then puts the isolated system resources into the corresponding Namespaces, so that each container can only see its own independent system resources.
Docker uses CGroups for resource isolation. CGroups (Control Groups) is also a mechanism provided by the Linux kernel. Its main function is to limit, record, and isolate the physical resources used by processes, such as CPU, Memory, IO, Network, etc. In simple terms, when CGroups receives a call, it attaches a hook to the specified process. This hook is triggered when the resource is used. When triggered, it restricts the resource usage based on the category of the resource, such as CPU, Memory, IO, etc., and uses the corresponding method for restriction.
CGroups has a term called subsystem, which is a resource scheduling controller. The CPU subsystem is responsible for CPU time allocation, and the memory subsystem is responsible for memory usage, etc. After Docker starts a container, it generates a folder with the container ID in the /sys/fs/cgroup directory. The folder contains the configuration files for calling CGroups, thereby limiting the container's resource usage through CGroups.
Isolation Aspect#
Virtualization technology creates complete virtual machines on physical hardware through virtual machine managers (such as VMware or KVM). Each virtual machine has its own operating system and applications, achieving full isolation at the hardware level, but with higher management complexity. Containerization technology (such as Docker), on the other hand, isolates at the operating system level, with multiple containers sharing the same host's operating system and kernel, but running independent applications and services. It provides a lightweight and efficient way to package applications, making it more suitable for rapid deployment and management.
Performance Overhead and Resource Dedication#
Since containers do not require an additional operating system to be loaded, they have fast startup speeds and low resource consumption, making containerization technology superior to traditional virtualization technology in terms of performance overhead. Each virtual machine in virtualization technology requires running a complete operating system, which results in higher resource usage and startup time, and may also lead to resource waste.
Use Cases#
Virtualization technology is suitable for scenarios that require high isolation and security, such as data centers, cloud computing, and server hosting. Containerization technology, on the other hand, is more suitable for lightweight, rapid development and deployment of applications, such as web servers, microservices architecture, continuous integration/continuous deployment (CI/CD), etc. Due to its lightweight, fast startup, and portability, containerization technology is very popular in modern DevOps practices.
Management and Monitoring#
The management and monitoring of virtual machines are usually handled by dedicated tools and platforms (such as OpenStack), which provide rich management and monitoring functions. The management and monitoring of containerization technology can be achieved through container orchestration tools (such as Kubernetes), which are designed specifically for containerized workloads and provide automation for deployment, scaling, and operation.
Virtualization technology provides stronger isolation and broader operating system support, making it suitable for scenarios that require high isolation and specific operating system environments. Containerization technology, with its lightweight, fast, and consistent characteristics, is more suitable for modern cloud environments and microservices architecture. As technology develops, these two technologies are constantly merging and optimizing. In actual deployments, a combination of both technologies is often used, running multiple containers in a virtual machine. This ensures good isolation and security, as well as scalability, flexibility, and ease of use.