Sunday, November 12, 2017

How Containers are more lightweight than Virtual Machines

Docker containers share the host’s kernel, network stack, and filesystem drivers, and generally don’t run complex services like systemd or CPU'S or sshd; they only run the packaged application.

A VM generally has a virtualized network setup and disk and runs a full-blown operating system, on top of the OS the host is already running.

What’s hard to do in Docker?

A container doesn’t actually have a NIC, doesn’t actually run a DHCP client, and can’t (easily) run low-level network protocol software; Docker “borrows” the host iptables for its own use and if you want very specific network policy per container it can get tricky; host storage is shared across all containers and you can’t readily assign a quota to a container.

In a VM there is a (virtual) NIC, and a DHCP client, and a firewall inside the VM, and so on.

Docker Sweet Spot

I feel like Docker’s sweet spot is as a packaging and distribution mechanism for network services that speak “simple” TCP protocols, like HTTP.