Skip to content

Container vs virtual machine architecture

Containers and Virtual Machines (VMs) are both technologies used to isolate applications and their dependencies, but they differ fundamentally in their architecture and resource management.

Virtual Machine Architecture

A Virtual Machine is primarily constructed and managed by a Hypervisor^[400-devops-06-kubernetes-k8s-paas-docker.md]. The Hypervisor utilizes hardware virtualization to simulate the hardware required to run an operating system, such as CPU, memory, and I/O devices^[400-devops-06-kubernetes-k8s-paas-docker.md]. On this virtualized hardware, a complete Guest OS is installed before the user's application process can run^[400-devops-06-kubernetes-k8s-paas-docker.md].

This architecture necessitates that every virtual machine contains a full operating system kernel, which typically consumes 100–200 MB of memory just for the OS itself^[400-devops-06-kubernetes-k8s-paas-docker.md]. This results in significant resource overhead and slower startup times compared to containers.

Container Architecture

In contrast to the "virtual machine" model, a container does not emulate hardware nor run a separate Guest OS^[400-devops-06-kubernetes-k8s-paas-docker.md]. From an architectural perspective, a container is actually a special process on the host operating system^[400-devops-06-kubernetes-k8s-paas-docker.md].

The container engine (e.g., Docker Engine) acts as a manager or auxiliary tool, but the responsibility for isolation falls entirely upon the Host OS kernel^[400-devops-06-kubernetes-k8s-paas-docker.md]. Application processes running inside a container are directly managed by the Host OS, just like any other native process, but they are constrained and modified by two key Linux kernel features:

  1. Namespace: Used to modify the process's view (e.g., creating the illusion that the process is PID 1).^[400-devops-06-kubernetes-k8s-paas-docker.md]
  2. Cgroups (Control Groups): Used to enforce resource limits (e.g., CPU, memory) on the process.^[400-devops-06-kubernetes-k8s-paas-docker.md]

Because containers share the Host OS kernel and do not require a full OS installation, they are significantly more lightweight than VMs^[400-devops-06-kubernetes-k8s-paas-docker.md].

File System Isolation: Rootfs vs. Disk Image

While Virtual Machines rely on a full disk image containing the OS, Containers use a rootfs (root file system).^[400-devops-06-kubernetes-k8s-paas-docker.md]

  • Virtual Machine: Isolation involves a distinct file system managed by the Guest OS.
  • Container: The container engine mounts a specific directory structure (rootfs) as the container's root directory (Change Root).^[400-devops-06-kubernetes-k8s-paas-docker.md] This provides the process with an isolated execution environment without the overhead of a separate OS kernel.

Docker optimizes this through Union Mounts (e.g., AuFS), allowing rootfs to be composed of multiple, read-only layers^[400-devops-06-kubernetes-k8s-paas-docker.md]. This layering enables "consistency" between development and production environments, as the exact same file system layers can be deployed across different hosts^[400-devops-06-kubernetes-k8s-paas-docker.md].

Sources

  • 400-devops-06-kubernetes-k8s-paas-docker.md