Last week, we began introducing some cloud computing concepts in anticipation of our Certified Cloud Security Professional (CCSP) course, which will be coming out in the near future. To start, we introduced virtual machines and hypervisors, which are fundamental parts of the overall cloud ecosystem. If you didn’t check it out last week, we suggest you take a look at it if you find any of this hard to follow.
This week we will be stepping things up a notch by introducing containers. Containers are a lot like virtual machines, but they are more lightweight and flexible. This has made them an increasingly important fixture of cloud computing.
But first, a quick recap:
- Virtual machines include operating systems plus the apps on top. They sit on top of a layer of virtualization, known as the hypervisor.
- The virtual machine is known as the guest, while the underlying machine is the host.
- There are two types of hypervisor:
- Type 1 hypervisors (also known as a baremetal or hardware hypervisor) – These have the physical hardware, then the hypervisor straight on top. Type 1 hypervisors are more efficient and secure.
- Type 2 hypervisors (also known as an operating system hypervisor) – These have an operating system in between the physical hardware and the hypervisor. This additional layer makes them less efficient and increases the attack surface area.
How do containers contrast with VMs?
Now that we’ve gotten the background out of the way, it’s time to dive into containers. The great thing about containers is that they are even more lightweight and flexible than VMs. The easiest way to show this is through the image. On the left, we have three virtual machines sitting on top of a type 1 hypervisor. We can tell that it’s a type 1 hypervisor because there is no additional operating system in between the hypervisor and the physical compute node.
On the right, we have three containers that sit on top of a containerization engine, like Docker. The important thing to note is where the operating systems are. On the baremetal hypervisor, each of our three VMs have their own OS. In contrast, the containers do not have their own operating systems. Instead, the OS is on top of the physical compute node, but beneath the containerization engine.
A containerization engine is essentially a layer of virtualization analogous to a hypervisor. One of the key differences is that containers don’t each need their own OS like VMs do. Instead, containers have isolated user spaces that share the kernel with the underlying OS.
This means that containers are highly portable code execution environments that are really efficient and can be spun up quickly. A program running inside a container can only see the resources allocated to it by the containerization engine. As far as the program can tell, these appear to be the only available resources.
Containers are incredibly useful for modern work environments, because you can move workloads around in an efficient and flexible way. As an example, you can start coding on your Windows laptop, then move the workload over to someone else on a Mac for testing. You can then put it into production in a private cloud, all without having to worry about compatibility. This makes containers tremendously useful in our current tech landscape.