Blurred Lines: Containers and Virtual Machines

< Back to all Blog Posts

Recent Articles

OpenStack in 2019: Steady Progress and New Directions
by Curtis Collicutt on May 28, 2019

Predictions for Edge Computing in 2019
by Curtis Collicutt on March 12, 2019

Kubernetes Persistent Volumes with NetApp Trident
by Curtis Collicutt on February 11, 2019

Layer 1 SFC with BigSwitch
by Curtis Collicutt on February 4, 2019

100,000 Carrier Clouds Coming Online
by Curtis Collicutt on January 28, 2019


5G 2019 BigSwitch Cloud Computing Edge Computing Infrastructure IoT Kata Containers Kubernetes NetApp NFV OpenDev Open Infrastructure Summit Open source OpenStack OpenStack Summit Public Cloud SDN SFC Solidfire StarlingX Storage Strategy zuul
August 6th, 2018
Written by Curtis Collicutt
Tagged in

We know that containers are an important new technology (well, at least Linux containers are, there have been similar technologies in existence for some time). Docker based containers, still heavily utilized even in Kubernetes, build on Linux technologies such as cgroups and network namespaces to achieve isolation. However, other technologies can be “plugged in.” We can replace a “Linux container” with any number of technologies that do similar things, including systems that boot virtual machines, such as the OpenStack Foundation’s new technology, Kata Containers.

Thus, if an organization has a specific need for virtual machines, or prefers the isolation they provide, it is quite possible to use them instead of containers, while still using an app image based workflow, as well as a powerful container orchestration engine such as Kubernetes.

Recently James Bottomley, a Distinguished Engineer with IBM research, created the Horizontal Attack Profile (HAP) in an attempt to compare the security of various container runtimes.

One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors ‘feel’ more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison.

Bottomley applies HAP to several container and container like technologies, the list of which is long but not exhaustive: Docker, gvisor, gvisor-kvm, the aforementioned Kata containers, and a new entry from IBM, Nabla containers.

While containers are not new, the industries overall desire to use them is. WIth that desire comes new isolation technologies, thereby blurring the lines between technologies like Docker containers and virtual machines, so much so that we are creating new ways of quantifying their security.