Containers vs. Hypervisors
I'm new to virtualization, and had read a number of articles on this topic. What is the current state of the art, esp. in terms of security aspect? Is one noticeably better than another? What is the prevalent industry standard, and is it changing any time soon?
We've a new project that needs to make a decision real soon on whether to use one or the other. Your insights would be much appreciated. And if there's any authoritative reference published on this, would appreciate your pointer(s). |
1. there is no current state, it is continuously changing.
2. without knowing the details of your project noone can suggest you anything. 3. I would rather try to test both and use the one which suits better your needs. 4. security depends on the users/admin, not on the system itself. |
Indeed, security does not have a quick answer.
The rule of thumb with security, is that the more security features you add to the project, it becomes more expensive and has worse overall usability (for example, takes much longer to add a new server). Since you know the details of the project, it's up to you to figure out how much of security to require. You have three practical options,
|
Quote:
1. Even when things change continuously (e.g. source code in version controlled repository) could have a snapshot. What is the snapshot like today? 2. I could elaborate some key requirements for the project - a. There's no need to have different OS (e.g. Windows vs. Linux vs. QNX vs...). Rather the virtualized environment (container or VM) would be assigned to different customers doing pretty much similar things (maybe some differences in feature sets/options). b. These customers may want to upgrade their software dependent of each other. c. Ideally, they could fail independently d. Security is very important - isolation of the customers' networks, data, etc. 3. We'd do prototyping soon, but not sure if we'd have enough time to check out both paradigms. |
from network side the isolation/security is almost the same, there are no big differences. from storage/data side again, data is usually not stored inside the VM or container, therefore irrelevant.
|
Can either one of them share a core in a CPU? Specifically, say the workload for 1 VM is 1.5 cores, can the remaining 0.5 core be used by any other VM? By the same token, can another container use the remaining 0.5 core in container environment?
|
Question:
when using "containers" (and I'm personally thinking about "docker"), don't people tend to install images from questionable / potentially untrusted sources? Meaning: when using VMs (through hypervisors) people might end up using mostly the official packages of the distribution being used, but when using Containers people might start using a much larger (and interconnected) pool of sources? |
I don't know those "tends", but we use docker containers only with official canonical repositories (the only exception is the initial docker image, which is coming from docker.io.
to #6, containers have no "own" process management, it relies on the host (and its kernel). Actually the dockerized processes will run by the same host system, the same way as any other process. in VM it is definitely different, the usage of the cores depends on the configuration of hypervisor. |
All times are GMT -5. The time now is 11:16 PM. |