5

From what I understand, VMs use hardware virtualization, whereas dockers use software virtualization and therefore have better performance (in a case, lets say, I am running a Dockerized Linux on a Windows machine). But what is exactly the reason that OS virtualization is faster than hardware virtualization?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Mister_L
  • 2,469
  • 6
  • 30
  • 64
  • 1
    See this post https://stackoverflow.com/a/16048358/4980651 and many other answers under this question, they give you a good overview of the underlying docker technologies which gives it an edge on performance – Siyu Nov 02 '18 at 14:18

2 Answers2

11

Docker doesn't do virtualization. It uses kernel namespaces to achieve a chroot-like effect not just for the root filesystem but process information (PID namespace), mount points, networking, IPC (shared memory), UTS information (hostname) & user id's.

The containers share the kernel with the host. For security Docker uses AppArmor/SELinux, Linux capabilities and seccomp to filter system calls. Control groups (known as cgroups] are used for process accounting and for imposing limits on resources.

Ricardo Branco
  • 5,740
  • 1
  • 21
  • 31
  • 2
    You say that the containers share the kernel with the host, but how can they share a kernel if the docker image contains a different OS than the host? (e.g Dockerized Linux on a Windows host) – Mister_L Nov 02 '18 at 14:42
  • 2
    @Mister_L If you run a CentOS container on a Debian system, it is running the CentOS binaries (and libraries) but not the CentOS provided kernel. Any container on a Debian system will use the kernel installed on that system. – Ricardo Branco Nov 02 '18 at 14:53
7

Docker is not about virtualization. It's about containerization (how to run a process in an isolated environment).

This means that you can't run a linux container on windows or a windows container on linux without using some kind of virtualization (Virtualbox, Hyper-v...) It's ok to do this on your laptop while developing but in production you would choose the appropriate architecture for your containers.

What is a container?

from A sysadmin's guide to containers:

Traditional Linux containers are really just ordinary processes on a Linux system. These groups of processes are isolated from other groups of processes using resource constraints:

  • (control groups [cgroups]),
  • Linux security constraints (Unix permissions, capabilities, SELinux, AppArmor, seccomp, etc.), and
  • namespaces (PID, network, mount, etc.).

Setting all these manually (network namespaces, iptable-rules etc..) with linux commands would be tricky, so it's the docker-daemon's job to do them when you type docker ... commands and things happen under the hood...

About speed...

First of all, containers can be less fast than running a process directly on the host networking stack, because of the complexity which is introduced. See for example this: Performance issues running nginx in a docker container

But, they will offer you speed. How?:

  • containers are not full OSs (base images have small size)
  • containers follow the concepts of micro-services and "do one thing, do it well". This means that you don't put everything in a container the same way you would do with VMs. This is called separation of concerns and it results in more lightweight app components. It also gives speed to developers because different teams can work on their component separately (others also mention this as developer velocity) with different programming languages and frameworks.
  • image layers: docker has an internal way of splitting an image to layers and when you build a new image, layers can be reused. This gives you good deployment speeds (consider how useful this is in case of a rollback)

About Windows Containers

Containers was a "linux" thing but this wave of containerization has also had an effect on the Windows land. In the beginning docker-toolbox was using Virtualbox to run containers on a linux VM. Later, docker-for-windows was introduced and gives the option to run containers directly on the host or on hyper-v. If you visit Windows Container Types you can find more.

tgogos
  • 23,218
  • 20
  • 96
  • 128