Docker containers share the host’s kernel, network stack, and filesystem drivers, and generally don’t run complex services like systemd or CPU'S or sshd; they only run the packaged application.
A VM generally has a virtualized network setup and disk and runs a full-blown operating system, on top of the OS the host is already running.
What’s hard to do in Docker?
A container doesn’t actually have a NIC, doesn’t actually run a DHCP client, and can’t (easily) run low-level network protocol software; Docker “borrows” the host iptables for its own use and if you want very specific network policy per container it can get tricky; host storage is shared across all containers and you can’t readily assign a quota to a container.
In a VM there is a (virtual) NIC, and a DHCP client, and a firewall inside the VM, and so on.
Docker Sweet Spot
I feel like Docker’s sweet spot is as a packaging and distribution mechanism for network services that speak “simple” TCP protocols, like HTTP.
A VM generally has a virtualized network setup and disk and runs a full-blown operating system, on top of the OS the host is already running.
What’s hard to do in Docker?
A container doesn’t actually have a NIC, doesn’t actually run a DHCP client, and can’t (easily) run low-level network protocol software; Docker “borrows” the host iptables for its own use and if you want very specific network policy per container it can get tricky; host storage is shared across all containers and you can’t readily assign a quota to a container.
In a VM there is a (virtual) NIC, and a DHCP client, and a firewall inside the VM, and so on.
Docker Sweet Spot
I feel like Docker’s sweet spot is as a packaging and distribution mechanism for network services that speak “simple” TCP protocols, like HTTP.
