Containers

A container is a unit of software that holds the necessary components (code, runtime, system tools, system libraries, and software dependencies among others) for an application to run easily across different computing environments

  • Containers make it easy to share CPU, memory, storage, and network resources at the level of the operating system and offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run

Pros

Separation of responsibility

Containerization provides a clear separation of responsibility, as developers focus on application logic and dependencies, while IT operations teams can focus on deployment and management instead of application details such as specific software versions and configuration

Workload portability

Containers can run virtually anywhere, greatly easing development and deployment: on Linux, Windows, and Mac operating systems; on virtual machines or on physical servers; on a developer’s machine or in data centers on-premises; and of course, in the public cloud

Application isolation

Containers virtualize CPU, memory, storage, and network resources at the operating system level, providing developers with a view of the OS logically isolated from other applications

Containers vs VMs

Containers and VMs are both different methods of isolation

VMs

  • The issues we have with VMs are not from a security perspective, but rather a performance perspective (Isolation performed by VMs is fantastic, but if similar isolation could be performed at a faster speed, it may be better)

    • example: Consider we have a Type 1A hypervisor running three VMs

    • Each of these VMs have have a different copy of an operating system, which also has its own libraries installed, etc.

    • Even if all of these VMs use the same OS, they still run separate copies of the OS (This is to ensure the isolation between the processes occurs without a problem)

    • However, since we have three copies of the same OS, this seems like a large waste of disk space (Since we have three copies of many identical files on the server, each taking up space)

    • In addition to memory, running three copies of the same OS can also lead to wasting CPU resources

    • In addition, booting a VM is the same as starting up a whole OS, which wastes a lot of time

Containers

  • Performed by programs such as Docker or LXC
  • Containers attempt to address VM’s performance issues
    • Containerization is different from VMs in that each container shares an underlying OS infrastructure with every other container in the system (This means that instead of installing an OS for each application for isolation, applications are able to share the resources of the same OS, while still remaining sandboxed from each other)
    • example:
      • Docker works by switching the hypervisor layer in Type 2 hypervisor with something called the Docker daemon (A service that runs in the background on the host OS and manages the running, scheduling and creation of new containers. On top of this, the daemon sits the containers, which are made up of the binaries and libraries necessary to run our application, plus the code for our application itself)
      • Despite sharing the same OS infrastructure, the docker daemon isolates each application from each other, leading to amazing performance gain, but also sacrificing some resource isolation guarantees (If somehow the shared OS is compromised, all of the application containers are compromised, but on a VM, however, if one of the VM OSes are compromised, the others are able to function as normal)