I'm new to virtualization, and had read a number of articles on this topic. What is the current state of the art, esp. in terms of security aspect? Is one noticeably better than another? What is the prevalent industry standard, and is it changing any time soon?

We've a new project that needs to make a decision real soon on whether to use one or the other. Your insights would be much appreciated. And if there's any authoritative reference published on this, would appreciate your pointer(s).

1. there is no current state, it is continuously changing.
2. without knowing the details of your project noone can suggest you anything.
3. I would rather try to test both and use the one which suits better your needs.
4. security depends on the users/admin, not on the system itself.

1 members found this post helpful.

Indeed, security does not have a quick answer.

The rule of thumb with security, is that the more security features you add to the project,
it becomes more expensive and has worse overall usability (for example, takes much longer to add a new server).

Since you know the details of the project, it's up to you to figure out how much of security to require.

You have three practical options,

1. Docker-style application containers. Here, each application becomes a container. You need to convert each application to a Docker container (dockerize).
2. LXC/LXD-style machine containers. Here, the containers behave and work like virtual machines. You get many of the security features of virtualization at the speed and efficiency of typical containers. You should go for LXD, which provides a hypervisor for the machine containers.
3. Virtualization assisted by hardware. This is KVM, or Virtualbox or VMWare. They need more resources. A rule of thumb, for the resources of one virtual machine with hardware-assisted virtualization, you can have at least 10 machine containers.

1 members found this post helpful.

Hi,

1. Even when things change continuously (e.g. source code in version controlled repository) could have a snapshot. What is the snapshot like today?
2. I could elaborate some key requirements for the project -
a. There's no need to have different OS (e.g. Windows vs. Linux vs. QNX vs...). Rather the virtualized environment (container or VM) would be assigned to
different customers doing pretty much similar things (maybe some differences in feature sets/options).
b. These customers may want to upgrade their software dependent of each other.
c. Ideally, they could fail independently
d. Security is very important - isolation of the customers' networks, data, etc.
3. We'd do prototyping soon, but not sure if we'd have enough time to check out both paradigms.

from network side the isolation/security is almost the same, there are no big differences. from storage/data side again, data is usually not stored inside the VM or container, therefore irrelevant.

Can either one of them share a core in a CPU? Specifically, say the workload for 1 VM is 1.5 cores, can the remaining 0.5 core be used by any other VM? By the same token, can another container use the remaining 0.5 core in container environment?

Question:
when using "containers" (and I'm personally thinking about "docker"), don't people tend to install images from questionable / potentially untrusted sources?

Meaning:
when using VMs (through hypervisors) people might end up using mostly the official packages of the distribution being used, but when using Containers people might start using a much larger (and interconnected) pool of sources?

I don't know those "tends", but we use docker containers only with official canonical repositories (the only exception is the initial docker image, which is coming from docker.io.

to #6, containers have no "own" process management, it relies on the host (and its kernel). Actually the dockerized processes will run by the same host system, the same way as any other process.
in VM it is definitely different, the usage of the cores depends on the configuration of hypervisor.