The debate over using containers versus virtual machines (VMs) on the network has been ongoing for quite some time. Everyone has their own perspective and opinion—some advocate for containers, others for VMs, and some even support container-on-VM setups. This article will explore both sides of the argument, comparing containers vs VMs and discussing the appropriate use cases for each.
Table of Contents
Container
Over the past five years, containers have rapidly gained popularity, largely due to their lightweight nature and fast deployment capabilities. Unlike traditional VMs that virtualize the entire hardware layer and install an operating system on top, containers use cgroups and namespaces to isolate resources from the host OS, and some even refer to them as operating system-level virtualization. Containers share the host's kernel and only include their own binaries and libraries, making them significantly faster than VMs in terms of image size and startup speed.
Advantages of Containers:
- Image size: Small, because it shares the host kernel and only needs to provide essential OS components and libraries.
- Speed: Deployment is fast—typically just a few seconds to launch a container.
- Portability: Under the correct kernel, containers can be easily moved across different hosts or environments.
- CI/CD: Due to their portability and speed, containers are far easier to set up in CI/CD pipelines than VMs.
- Update management: Updating a container only requires using a new image to restart it.
Issues to Consider:
- Security: Sharing the host kernel offers better security than running a full virtualized system.
- No OS selection flexibility: Because containers share the host kernel, it’s not possible to run different kernels in each container.
- Complex networking: Containers are typically deployed as microservices, leading to more complex network connections between components.
VM
VMs are comparatively older and more mature technologies. VMs virtualize the entire hardware layer and install an operating system on top, making them function like independent systems.
Advantages of VMs:
- Full system virtualization: This makes VMs function nearly identically to bare metal servers, enabling more intuitive and direct operations.
- No need to refactor application code: Since VMs operate similarly to bare metal servers, there’s no need to extensively modify application architecture.
- Security: Since the entire hardware layer is virtualized, security is significantly better than for containers.
- OS selection flexibility: VMs allow free choice of different operating systems.
Drawbacks:
- Size: VM images are very large, typically several GB or more.
- Boot speed: VMs may take several minutes to boot, which is not ideal for environments requiring fast provisioning.
- Running speed: VMs require virtualization of hardware layers, so performance is relatively lower compared to bare metal servers.
Use case
Container
Before using bare-metal containers, you should first assess the following conditions:
- Applications have already been microservices-architected: Using containers according to best practices requires adopting a microservices architecture.
- Running trusted code: If running trusted code, various kernel vulnerabilities can be avoided.
- Complete bare metal deployment automation available: Containers still need to run on bare metal servers with an OS, so a complete bare metal provisioning system is required.
- No special networking requirements: Current container orchestration engines such as Kubernetes support special networking features like multi-adapter cards within CNI spec limitations and are not very robust.
Bare-metal provisioning has recently seen rapid progress within OpenStack, and the newly released Rocky version of Ironic has added many more practical features. For those interested, it's worth exploring. What You Need to Know About the OpenStack Rocky Release
Virtual Machine
VMs require different considerations compared to containers, depending on the specific use case.
- Applications do not need fast scale-out: VMs take longer to provision than containers, so in cases requiring fast scaling due to load spikes, containers perform better.
- Running untrusted code: Running untrusted code is recommended on VMs, which provide stronger isolation. This is also why public cloud providers still run on a VM layer—to ensure that service providers cannot verify what code users are running on the platform.
- Hard multi-tenancy required: Hard multi-tenancy has not yet been implemented on container orchestration engines.
- Special networking requirements: VMs offer more mature support for advanced use cases like hot-plugging new network cards, multi-adapter cards, etc.
Currently, the main use cases for VMs still remain in legacy applications and public cloud environments. The former is because applications are not built on a microservices architecture, so using containers offers little benefit. The latter is due to user requirements for isolation and security, which make VMs a preferred choice.
Somewhere in the Middle
Kata Containers
Kata Containers This is an open-source initiative launched at the beginning of last year, aiming to provide lightweight and fast VM-based containers. Unlike standard containers that use namespaces for isolation, Kata places containers inside lightweight VMs to enhance security, hoping to achieve a balance between speed and security.
Kata Containers provide lightweight virtual machines (VMs) that offer strong isolation, enabling execution of untrusted code while still achieving near-container performance. It's a solution that bridges the gap between VMs and containers. Although no large-scale use cases have been widely adopted in the community yet, it remains a promising candidate worth exploring and testing across various different environments.
Conclusion
Today, VMs still serve as the foundation for infrastructure, while containers act as the foundation for applications. Both VMs and containers have their appropriate use cases, and currently, they coexist and can be used complementarily.
Ultimately, there is no single best solution—only the most suitable approach for a given application. Choosing the right solution based on your specific use case is the correct way forward. Don't follow global trends blindly; don't simply copy what others are doing.
Reference
Kata Containers
To containerize or not to containerize—that is the question, or Containers vs VMs: the eternal debate
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stated otherwise.