Computer Systems Architecture
Bidemi.olajide7
assignmentreference.zipASSIGNMENT 2.docx
Instructions
Download and install a Virtual Machine (VM) (e.g. Virtualbox, VMWare) and an Operating Systems for that VM (e.g. Centos). After completion, open a terminal and make three commands:
$ whoami
$ hostname
$ ifconfig (if the VM is Mac or Linux)
$ ipconfig (if the VM is Windows)
$ ip addr show (some Windows VM need this command)
Then screen shot the VM and send the PDF file as part of the HW1 answer. The snap shot can be from a phone or camera, then submit it as a PDF or JPEG file. The screen shot must show the VM logo (such as Oracle VM). The screen shot can’t be from a host computer. (40%)
------------------------------------------------------------------------------------------------
Instructions:
The instruction below is based on Virtualbox as the VM and Centos as the VM OS on a MAC OS 10.10.5. Virtualbox is like a virtual computer hardware and Centos is the operating system for the Virtualbox.
Do Google search for Oracle Virtualbox and Centos free download for your platform. Be sure to get the right ones for your platform, for example “*.dmg” for MAC. Some downloads are OS version specific, for example, MAC OS 10.10.x.
Install your VM. In the case of Virtualbox for MAC, just double click “Virtualbox-xxx.dmg”. From the pop-up window, drag “Virtualbox” onto the “Application” folder. Close the pop-up window. Double click “Virtualbox” icon to launch Virtualbox.
In the Virtualbox window. There is no OS installed yet. You can install many OS on the VM, but only one OS can run at once. To toggle between the Virtualbox and the host environment, press the “command” key on the MAC.
On the top panel click “New”. A new smaller window pop-up within. Enter a “Name” for this VM OS you are about to create, e.g. “Centos_1”.
Choose a “Type” for the OS. Centos’ type is “Linux”. For “Version”, choose “Red Hat (64-bit)”.
Adjust “Memory size” to 8GB.
For “Hard Disk”, choose
“Create a virtual hard disk now”, if you never had one. This is the case for most of you.
“Use an existing virtual hard disk file”, if you are using one from other person or previous created one.
Click “Create”.
Another window pop-up. For “file location”, leave it alone, or click the right icon next to it for determining your own location.
For “Hard Disk File Type”, choose,
“VDI (Virtual Disk Image)”, if you don’t need to port it to another computer.
“VMMDK (Virtual Machine Disk)”, if you want to port it to another computer.
Click “Create”.
Another window pop-up. It asks where the bootable file is. Right click on the icon next to it, choose the Centos-xxx.iso file (a CD/DVD disk image) or any virtual OS image that you downloaded. This will create the virtual OS on the VM. For Centos, you will need to go through configuration to choose files and features you need. Then on the second configuration window, be sure to create a root password and a user account other than the root. Give it the administrate privileges, that will make it easier to do things later on. But be aware that this user can also damage the system, if she/he doesn’t know what to do. The good thing is that you can always create another VM and VM OS.
The alternative to Centos VM is to use VMware or Oracle VM. Windows 10 seems to have difficulty in installing Centos VM, or VMWare, but it should have no problem installing Oracle VM.
Once the system is configured and ready to use, right click to open a terminal.
Type in the three commands and print screen FROM VM. The screen shot must contain the VM lego and name on it, preferred also have host on the background, but not mandatory.
$ whoami
$ hostname
$ ifconfig (if the VM is Mac or Linux)
$ ipconfig (if the VM is Windows)
$ ip addr show (some Windows VM need this command)
You save print screen with key board combination or use your cell phone and screen shot in a PDF file and send it alone with other HW1 answers. Then send the VM screen shot as a PDF or JPEG file as part of the HW1 answer. The snapshot can be from a phone or camera, then submit it as a PDF or JPEG file. The screen shot must show the VM logo (such as Oracle VM). The screen shot can’t be from a host computer.
sandbox_virtual machine_ (1).pdf
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 1/9
What's the difference between a sandbox and a virtual machine?
Helping people with computers... one answer at a time.
Ask Leo! » General Computing
Sandboxes and virtual machines share some characteristics, but they are fundamentally different
technologies. I'll look at both from a high level.
by Leo A. Notenboom, © 2012
Sandbox versus virtual machine: can you provide a brief overview on the differences, advantages, and disadvantages?
•
Sandboxes and virtual machines are two different technologies that share just enough characteristics to
make them easily confused.
One could even confuse matters further by referring to a virtual machine as the ultimate sandbox. That
would be an accurate statement, but it really only stirs up the mud in what is already muddy water
without a little background.
Let's look at the three scenarios: the default case without either, a sandbox, and a virtual machine.
•
Windows on its own
Let's start with a conceptual view on how Windows and Windows applications operate at a very high
level:
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 2/9
As you can see in the above diagram, applications running in Windows interact with the machine and with
you through Windows.
Windows manages access to the files and ondisk resources; it also manages access to the hardware
through the device drivers that are installed for your machine's specific hardware configuration.
A sandbox under Windows
In a sense, a sandbox is a container placed around an application running within Windows:
You'll note that one of the three applications in this example configuration is drawn as being within a
sandbox. Of particular note is that a portion of the "Files & Settings" used by that application are also
placed in that sandbox.
Therein lies the magic.
When you run an application within a sandbox, it continues to have access to everything that it would
were it not sandboxed. The primary difference is that anything created or changed by the sandboxed
application is:
Not visible outside of the sandbox; other Windows applications don't see it.
Not saved when the sandboxed application exits1.
The best example is simply that any malware that might have been downloaded and "installed" by the
sandboxed application is discarded when the application exits.
A virtual machine under Windows
A virtual machine, or VM, is an application that runs under Windows that creates an environment that
simulates a completely separate computer.
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 3/9
In this diagram, the application on the left is a VM that's running a completely separate copy of Windows.
In a very real sense, it's a "machine within a machine." Windows running on the actual PC is often
referred to as the "host" operating system, while any VMs running on it are referred to as "guest"
operating systems.
Within a VM, applications continue to access the world around them through that VM's copy of Windows.
That "world" includes that VM's own virtual hard disk on which files and settings are stored.
The VM also includes its own set of virtual device drivers that behave as if they're interfacing to actual
hardware. In reality, they're mimicking the presence of actual hardware and talking to the host copy of
Windows to gain access to the real hardware.
Everything that happens in the VM stays within the VM. It behaves exactly as if it were a completely
separate physical machine.
That implies that any downloads, changes, updates, installations ... anything ... that is created or saved
within the virtual machine is only accessible through the VM in some way.
And if you delete the VM, it's like getting rid of a PC. Everything on the virtual hard disk is erased.
Multiple virtual machines
One of the best ways to demonstrate virtual machine technology is a scenario such as this one:
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 4/9
This illustrates a single PC running three virtual machines.
The PC itself is running Windows 7
One VM is running Windows XP and would appear as a window within the host Windows 7
machine.
One VM is running another copy of Windows 7 and would appear as a window within the host
Windows 7 machine.
One VM is running Ubuntu Linux and would appear as a window within the host Windows 7
machine.
One physical machine running three different virtual machines simultaneously.
Each virtual machine is completely separate as if it was on completely separate hardware except that
it's not.
This is actually more common than you might imagine. For example, socalled "cloud servers" are nothing
more than virtual machines. As I write this, the Ask Leo! website is in reality a modest virtual machine on
a virtual hosting provider. I have no idea what the underlying hardware actually is the virtual machine
can't look "out" to its host. My assumption is that it's a fairly beefy piece of hardware on which several
virtual machines are hosted.
Pros and Cons
Sandbox
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 5/9
Sandboxing is typically lightweight and fairly easy to set up and use. I say "fairly" because there are
complexities, most notably about how to get desired changes to be preserved outside of the sandbox.
For example, if your browser is sandboxed (the most common scenario), getting a downloaded file that
you want to use outside the sandbox may take a few extra steps. Other changes that you might want to
preserve while you're in the sandbox can also be slightly more complicated to retain.
Virtual Machine
Virtual machines are almost certainly not lightweight. You'll need disk space to allocate to the virtual hard
drive and you'll also need to make choices about how much of your computer's RAM you want to allocate
to the VM while it's running, among other things.
When discussing the characteristics of a virtual machine, the phrase that keeps coming up is "just as if it
were a separate physical machine". And when looking at what a VM can and cannot do and what it takes
to set one up, that's the best rule of thumb to remember.
Setting up a VM typically involves installing an OS from scratch. In the multipleVM example above, each
virtual machine would need to be set up just as if they were separate physical machines.
A virtual machine and its host are effectively isolated from each other. A common way to copy files to and
from the virtual machine is to set up network access on that machine just as if it was separate physical
machine.
As you can see, a VM is perfect if you want a completely isolated "virtual" second (or third, or fourth)
machine. It's also perfect, particularly if you want that machine to run a different operating system than
its host. For example, I no longer have a physical machine that has Windows XP installed on it, but I have
virtual machines that I can fire up at will on my Windows 7 desktop that provide me with a copy of
Windows XP to work with.
In fact, that's all that "XP Mode" on Windows 7 really is a virtual machine in which Windows XP can run.
Specific Tools
The most popular sandboxing tool by far is called "Sandboxie". Originally developed as a Sandbox for IE
(hence the name), it's grown into a powerful and flexible general purpose sandboxing solution.
I use Parallels Workstation for Windows as my virtual machine technology. I regularly run copies of
Windows 7, Windows Vista, Windows XP, and Ubuntu Linux in virtual machines for testing, doing demos,
and answering your questions. Parallels is perhaps best known for their VM technology that allows you to
run Windows on your Mac computers.
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 6/9
VMWare is another popular VM provider. Of note is that there are many preconfigured VMWare
"appliances" that you can simply download and run. For example, you can download a readytorun
VMWare appliance that is Ubuntu Linux without having to go through the steps of actually setting up the
operating system.
VirtualBox is another VM alternative that I've only played with briefly, but it's free and appears well
supported and quite robust.
Next steps
I plan to dive into Sandboxie in more detail at some point in the future, as it can be a useful tool in your
arsenal against malware. You needn't wait; you might consider checking it out.
Virtual machines aren't for everyone. If you know it's what you need and you have the hardware to
support it, it's incredibly cool technology.
But it's overkill for most daytoday usage.
1: Specific sandbox implementations may provide mechanisms to transfer or save data out of the
sandbox, but the important concept here is that, unless such steps are taken, any changes made by the
sandboxed application are lost.
Article C5040 January 14, 2012 « »
Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year
career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a
place for answers to common computer and technical questions. More about Leo.
You may also be interested in:
Virtual Machines What Are They? Because I use a VM to present in webinars, I figured that it'd be
a good time to demonstrate what they are and why they're so cool.
Does using a virtual machine keep me safer? By running a nonWindows OS within Windows using a
virtual machine you can avoid some issues, but only certain types.
Does a sandbox or virtual machine help protect your privacy? Sandboxes and Virtual Machines can
help isolate you from certain types of threats. We'll look at what they are and how they might, or
might not, help.
Does running Windows in a virtual machine protect me from viruses? Virtual machines are powerful
tools that used properly can provide a safe and secure sandbox used improperly they're as
vulnerable as anything else.
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 7/9
Can the VM be made to simulate hardware as well? I am a gamer and would love to
simulate older pc's with 3dfx cards.
In theory, yes, but I've not run into any that allow for it.
18Jan2012
I use VMware player and have the Windows 8 previewer running in it, as well as three
different Linux distros. One reason to run a virtual machine might be to do online banking
in a safe environment. Another is to experiment with different OS's without tying up a
computer. This allows you to start from scratch again easily if you mess something up.
I was also going to say that about games not installing with VM as well. I run W7 Ultimate
(64 bit) and first got into Virtual Machine when I couldn't get Status Monitor software to
work with my Epson printer under W7. The printer works fine, there's just no way to check
ink levels or run maintenance with Epson's Status Monitor under W7. Running out of ink midtask is not
the best way to find I need it and ink is too expensive to guess when it's time to replace the cartridges.
I tried a couple programs that are supposed to work like Status Monitor but they had problems like
changing the order of the colors so I didn't know which was accurate color name or cartridge location.
None of them worked right with some things hanging up endlessly not locked up or frozen, just
appearing to be doing something while nothing was actually happening. So, I tried the Windows XP
Virtual Machine setup Microsoft offers. It allowed me to install the printer and Status Monitor although
it only works less than half the time although the printer works fine. I did try to install some older
games and while they appeared to install, none would work. The biggest problem was I was unable to
get any gaming hardware to work. I tried several joysticks including an ancient Logitech Wingman Force
and an older Logitech steering wheel. I could almost hear it laughing with newer hardware like my G27
wheel and Saitek joy stick. Although VM appeared that it was allow installation nothing ever installed.
I'm still hoping someday to find a VM program a bit more functional. Until then I am hanging onto my
faithful old XP based machine as well for older games. W7 compatibility mode is not as good as you'd
expect.
An aside is the term 'Sandbox' also applies in gaming and means a game where you don't have to
follow the script constantly and can freely roam about doing (almost) whatever you want. What
immediately comes to mind are the Grand Theft Auto games. To a lesser degree are Fallout 3 and
Fallout New Vegas.
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 8/9
Oh yeah, and VM DOES require a separate antivirus. Cheapest way for me was is to get
the 3 PC version of my favorite security suite! A number of ISPs offer free brandname
security suites to subscribers. Mine does not limit how many PCs it can be installed on.
Isn't Chrome already using sandbox technology for general browsing? I think I read
recently that in Chrome each tab is its own sandbox. Do I have that right? I use SR Ware
Iron, which uses Chrome as its core, without all the Google privacy concerns. I have used it
for a few years, and I love it. Updates to Chrome are automatically applied to Iron as well.
It's not true sandboxing as discussed in this article, or you'd never be able to save a download or
make a chrome setting change. Chrome does give each tab its own process which reduces the
problems one web page you're viewing might cause to another.
18Jan2012
Dell has had the Secure Firefox for well over a year now. This provides safe surfing with a
builtin sandbox. No configuring is needed.
It is called KACE secure browser and it is free to anyone. Many of my customer's now use
it.
Packrat1947
OK, I understand more than I did before about the differences, but does this include the
JVM, or Java Virtual Machine?
The JVM does use a form of sandboxing, yes, but it's really not related other than in concept to
what this article is discussing.
21Jan2012
•
Comments on this entry are closed.
7/29/2017 What's the difference between a sandbox and a virtual machine?
http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html 9/9
If you have a question, start by using the search box up at the top of the page there's a very good
chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.
Copyright © 20032017 Puget Sound Software, LLC and Leo A. Notenboom Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
http://askleo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html
Virtual containers are replacing sandboxing as a technology option - Infosecurity Magazine.pdf
7/29/2017 Virtual containers are replacing sandboxing as a technology option - Infosecurity Magazine
https://www.infosecurity-magazine.com/opinions/security-take-its-head-out-of-the/ 1/3
MAGAZINE EVENTS LEADERS NETWORK INSIGHT
Latest
Verticals Vary Widely When it Comes to Prioritizing Cyber North Korea Turns Cyber-Attention to Hacking for Profit
Israel Levy CEO of BUFFERZONE
29 JAN 2015
Sony Pictures Entertainment: The Fallout from 2014’s Biggest Breach
Why Not Watch?
INFOSECURITY MAGAZINE HOME » OPINIONS » 2016: TIME FOR SECURITY TO TAKE ITS HEAD OUT OF THE “SAND” (BOX)
Log InSign Up
News Topics Features Webinars White Papers Events & Conferences Directory
As malware has become increasingly sophisticated, conventional protection solutions have proven insufficient for companies’ IT security needs.
While “sandboxing” is still a popular, and frequently deployed solution, over the last several years new technologies and approaches have been introduced to the market. Let’s take a look at one of those approaches, called “containers”, and see how it measures up vs. the current industry standard set by sandboxes.
Common Problems
Containment is a fairly new concept, deviating from the widely known and popular “sandboxing” method. Sandboxing is a detection method which scans potentially malicious files in a confined area/an isolated environment, otherwise known as the “sandbox”, to determine if it is indeed malware. Sandboxing arose as a response to the realization that signature-based technology had grown increasingly ineffective in protecting endpoints from stealth attacks.
Sandboxing, however, once the “go-to” solution for thwarting unknown threats, is also gradually proving insufficient in today’s increasingly sophisticated malware climate, echoing the challenge IT security execs faced with the inadequacy of signatures.
Enter the next generation, virtual containers. Virtual containers reside on the endpoint and continuously isolate applications like web browsers, email and removable storage that come into contact with untrusted sources. Unlike sandboxes, containers are not a time-limited solution for testing whether code is malicious. Instead, they provide an ongoing buffer between the “insecure” realm of the internet and the “secure” realm of the corporate network.
20 OCT 2016
Can Good Security Help Drive Greater Business Agility?
29 APR 2016 OPINION
2016: Time for Security to Take its Head out of the “Sand” (box)
Our website uses cookies
Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.
Okay, I understand Learn more
7/29/2017 Virtual containers are replacing sandboxing as a technology option - Infosecurity Magazine
https://www.infosecurity-magazine.com/opinions/security-take-its-head-out-of-the/ 2/3
26 MAR 2015
Insights into Incident Response – A View from the Front Lines
Related to This Story
The Security Challenges of Enterprise Container Adoption
A Data-Driven Approach to Security Decision Making
Web Isolation: The Evolution of Enterprise-Ready Isolation
Ten Compelling Reasons to Improve Security when Harnessing the Power of Desktop Virtualization
Attacks on Virtual Infrastructure Cause Double the Pain
The Benefits and Drawbacks of Sandboxes
Several years ago, sandboxing became the popular approach to detecting advanced threats, causing several big-name security companies to advocate this as the preferred method. Sandboxes do not continuously run on endpoints, rather they generally run on a server and are used to detonate a suspicious file. Files are opened there first, and if they don’t trigger any alarms after a short time, they are sent onward.
The sandbox is in action for a short period of time, scanning any unknown content and detecting malware. However, once this process is completed, the approved content is free to transfer over into the trusted network. Malicious content, unfortunately, is “smart” and is known to disguise itself as benign until the testing period is over. Following the testing period, the malware is released and a phenomenon known as “sandbox evasion” occurs.
Evolution of the container
Sandboxing and containers have their similarities - they both use virtualization to create a “safe space” for potentially malicious content. But, as hackers focus on devising attack methods that we haven’t thought of, making them impossible to detect, containers take the approach that everyone is suspect.
The security architecture of containers, as opposed to sandboxes, is designed to outsmart malware evasion. With containers, detection is not essential. Instead, both non-malicious and malicious content remain in the container forever.
Containers have evolved out of the need for a more comprehensive solution, one that will create a sort of perimeter around any application that can be used as an attack vector, constantly running, isolating all unknown content, and maintaining constant segregation from trusted networks. A container runs continuously on the endpoint and rather than isolating a file for a short time, it isolates the risky application, like the web browser or email or Skype continuously. Container technology can be implemented in software, on top of the operating system, or as part of the microprocessor’s firmware.
Containers assume anything unknown is untrusted and, therefore, keeps it in a secure and isolated environment, known as the “container”. Anything unknown is eternally deemed untrusted and can only leave the container through a secure bridge that disarms threats and gives security teams control over what enters the corporate network.
Looking Ahead
With 44% of respondents in a recent SANS endpoint security survey admitting that one or more of their endpoints had been compromised in the past 24 months, 2016 will see more money invested in endpoint security—a market growing at a CAGR of 8.4% from 2015 to 2020.
While server-based file sandboxing has been successful in stopping many threats, today’s sophisticated malware attacks demand a more comprehensive solution. Just as malware has evolved and taken on different forms, sandboxing, as well, is assuming different forms, including virtual containers, and micro-virtualization solutions that provide continuous protection. This more comprehensive approach ensures that any threat that gets in – whether through a web browser, email, document, phone etc. will be locked in a container indefinitely.
If we want to prevent the next data breach from happening, we must offer solutions that provide a solid defense, along with seamless deployment and management. Conventional sandboxing has an important role to play in terms of testing suspicious executables in a safe environment. But it is no longer effective in preventing unknown threats as containers continuously isolate risky applications, do not rely on detection and provide a more effective long-term solution for user endpoints from whatever hackers come up with next.
17 NOV 2016
Network Encryption made EASY: Utilizing Network Virtualization to Simplify Network Encryption & Enhance your Network Security
Read Shared Watched Editor's Choice
What’s Hot on Infosecurity Magazine?
1
2
3
28 JUL 2017 NEWS
German Police to Bypass Encryption by Hacking Devices
25 JUL 2017 NEWS
Widespread, Brute-Force, Cloud-to- Cloud Attacks Hit Office 365 Users
28 JUL 2017 NEWS
Emotet Crimeware Adds Self- Propagation to the Mix
4
27 JUL 2017 NEWS
Our website uses cookies
Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.
Okay, I understand Learn more
7/29/2017 Virtual containers are replacing sandboxing as a technology option - Infosecurity Magazine
https://www.infosecurity-magazine.com/opinions/security-take-its-head-out-of-the/ 3/3
The Magazine About Infosecurity Subscription Meet the Team Contact Us
Advertisers Media Pack
Contributors Forward Features Op-ed
Report ad
This Game Will Keep You Up All Night Vikings: War of Clans
Learn More
Sponsored by Plarium
0 Comments Infosecurity Magazine Login
Share⤤ Sort by Best
LOG IN WITH
OR SIGN UP WITH DISQUS
Name
Password
By signing up, you agree to the Disqus Basic Rules, Terms of Service, and Privacy Policy.
Start the discussion…
?
→
Recommend
Report ad
This Game Will Keep You Up All Night Vikings: War of Clans
Learn More
Sponsored by Plarium
5
6
4 #BHUSA: You’re Dealing with SupplyChain Security Whether You Like it or Not 28 JUL 2017 NEWS
North Korea Turns Cyber- Attention to Hacking for Profit
27 JUL 2017 NEWS
Google Uncovers Highly Targeted Spyware "Lipizzan"
Copright © 2017 Reed Exhibitions Ltd. Terms and Conditions Privacy Policy Use of Cookies Sitemap
Our website uses cookies
Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.
Okay, I understand Learn more
Containers_VM.pdf
Redmond Magazine
IN-DPTH (HTTP://RDMONDMAG.COM/ARTICL/LIT/FATUR.APX)
Containers vs. Virtual Machines
The rie of container that run mall component known a micro-ervice ha generated a lot of uzz in the trenche of enterprie IT over the pat two
ear ecaue of the potential model for how organization architect infratructure and uild application. Container make it eaier to help accelerate
the move to the DevOp model. Although container have een around for a while in the Linux world, the're new to Window, et to deut with thi
fall' Window erver 2016 releae. Man organization are looking at emracing container, epeciall thoe with uine imperative that require a
more agile approach to reponding to the whim of cutomer, partner, upplier and even emploee. Nearl ever major IT plaer ha latched onto
the open ource container movement driven Docker Inc.
At the recent DockerCon 16 conference in ea�le, Wah., 4,000 clearl eager a�endee learned how containerized micro-ervice will et the tage for
how the generation of application are deigned, uilt, deploed, and managed, ideal for erving the need of organization and IV alike who want to
uild cloud-native app or ridge legac o�ware into thi new world.
Thee emerging micro-ervice application are o�en referred to a Mode 2 app, which conit of lightweight container running mall app or
networked micro-ervice. Thi new tle of application i expected to replace the heavweight monolithic app that toda run in virtual machine
(VM). Doe that mean container will replace VM? A�er a�ending the two-da DockerCon in late June, I can explore how container and
containerized application compare to VM running traditional application and how Window erver 2016 and a revamped Hper-V will raie thi
quetion.
Window Container Tpe
Firt, let' take a quick look at the forthcoming Window erver Container. aicall, a container i an iolated pace where an application can run
without a�ecting the ret of the tem or other container. Unlike VM, which are all eentiall the ame, there are two tpe of container in
Window erver 2016:
Window erver Container: Running directl on top of the Window erver O, Window erver Container provide application iolation through
proce and namepace atraction. All Window erver Container hare the ame kernel network connection and ae �le tem with the
container hot.
Hper-V Container: More ecure than Window erver Container, Hper-V Container each run in a highl optimized VM. With Hper-V
Container the kernel of the container hot in't hared with the Hper-V Container. Intead, the container ue the VM' ae O. Thi provide
a more ecure environment a the container are iolated from the underling hot, ut have more overhead.
The Window erver Container themelve are compatile with Hper-V Container and other Window erver Container. The new Nano deploment
option for Window erver i intended a a platform for running container.
Container and VM Architecture
Container have een called the next generation of virtualization ecaue the provide application atraction in much the ame wa that VM provide
hardware atraction. Intead of virtualizing the hardware like a VM, a container virtualize at the O level. Container run at a laer on top of the hot
O and the hare the O kernel. Container have much lower overhead than VM and a much maller footprint. You can ee the Window erver
Container and Hper-V Container architecture in Figure 1.
(~/media/ECG/redmondmag/Images/2016/09/0916red_F2Docker_Figure1_hires.ashx) [Click on image for larger view.]
Figure 1. The Windows Container Architecture
A illutrated, the VM run on top of a hpervior that' intalled directl on the are-metal tem hardware. ach VM ha it own emulated hardware,
O and application. VM can e paued, topped and tarted. The can e moved etween virtualization hot without an end-uer downtime
uing technologie uch a live migration or vMotion.
Container are quite di�erent. The container runtime i intalled on top of the hot O and ever containerized appli cation hare the ame ae
underling O. ach container i iolated from the other container. Unlike VM where each VM ha it own individual kernel and O, container hare
the ame kernel, network connection and ae �le tem a the underling O. You don't need a whole new and eparate O, memor and torage a
ou would for a VM. ecaue container don't have to emulate phical hardware and the entire O, the're far maller and more reource-e�cient than
VM.
The releae of Window erver 2016 will ring a new option of uilding app aed on micro-ervice that run in Docker and
other tandard container. Doe that portend the end of the VM?
Michael Ote 09/06/2016
Close this Advertisement
(https://redmondmag.com/articles/2017/07/28/windows-subsystem-for-linux-coming-this-fall.aspx)
Windows Subsystem for Linux Coming This Fall (https://redmondmag.com/articles/2017/07/28/windows-subsystem-for- linux-coming-this-fall.aspx)
(https://redmondmag.com/articles/2017/07/28/microsoft-online-services-and-compliance-risks.aspx)
Microsoft Online Services and Compliance Risks: Some Tips, Tricks and Directions (https://redmondmag.com/articles/2017/07/28/microsoft- online-services-and-compliance-risks.aspx)
(https://redmondmag.com/articles/2017/07/28/improve-hyperv-checkpoints.aspx)
How Microsoft Can Improve Hyper-V Checkpoints (https://redmondmag.com/articles/2017/07/28/improve-hyperv-checkpoints.aspx)
PRINTAL FORMAT (HTTP://RDMONDMAG.COM/ARTICL/2016/09/01/CONTAINR-V-VIRTUAL-MACHIN.APX?P=1)
Recommended: IT ecurit a�le: I Microo� All You Need? (h�p://redmondmag.com/whitepaper/2017/03/redmond-redmond-in-depth-report-
2.apx?tc=page0)
Featured
Container and VM torage
now mot people are familiar with VM torage. With VM one or more virtual dik provide the torage for the VM. There are di�erent tpe of �xed
virtual dik. VM have dnamic, �xed and di�erential virtual dik. In each cae the're tored a a �le on the virtualization hot or on a hared torage
location. The VM ee virtual dik a di�erent O drive.
Container torage i quite di�erent. Container don't ue virtual hard drive. The're deigned to e tatele, eail created and dicarded. Container
ue a concept commonl called andoxing to iolate an dik write from the underling hot. Once a container ha een tarted, all write action
uch a �le tem modi�cation, regitr modi�cation or o�ware intallation are captured in thi andox laer (ee Figure 2).
(~/media/ECG/redmondmag/Images/2016/09/0916red_F2Docker_Figure2_hires.ashx) [Click on image for larger view.]
Figure 2. Container Storage Overview
In the center of Figure 2 ou can ee a running container uilt from two eparate container image. The container would ee thee a eparate
directorie. Thee image are unchanged when the container run. All of the container change are captured in the andox and default would e
dicarded when the container i topped.
That all ound great, ut what if ou want to perit the change made from a container? There are a couple of wa that torage change are
perited uing container. You can ave our container with it change a a new image or ou can mount an exiting director from the hot on the
container.
You can mount a volume uing the -v parameter of the Docker run command. Thi will enale all �le from the hot director to e availale in the
container. An �le created the container or change to �le in the mounted volume will e tored on the hot. You can mount the ame hot volume
to multiple container uing: docker run -it -v c:\ource:c:\containerdir windowervercore cmd.
A ingle �le can e mounted pecifing the �le name intead of the director name.
1 2 (HTTP://RDMONDMAG.COM/ARTICL/2016/09/01/CONTAINR-V-VIRTUAL-MACHIN.APX?PAG=2)
3 (HTTP://RDMONDMAG.COM/ARTICL/2016/09/01/CONTAINR-V-VIRTUAL-MACHIN.APX?PAG=3)
NXT » (HTTP://RDMONDMAG.COM/ARTICL/2016/09/01/CONTAINR-V-VIRTUAL-MACHIN.APX?PAG=2)
Close this Advertisement
Windows 10 Fall Release Promises More Intelligence and Creative Hooks -- … 1 comment • 2 months ago•
Michael H — Graph sounds awesome!Do we know if it intends to offer file versioning as well? Or just "bookmark" which file I have …
How To Prevent the Use of USB Media in Windows 10 -- Redmondmag.com 2 comments • a month ago•
Cesar Cabrera — For that specific requirement you need a DLP solution that allows you to create specific policies for …
The Verdict Is In on Windows 10 S: and it's not Good -- Redmondmag.com 1 comment • a month ago•
barcodezero — Windows 10 is SPYWARE which makes it the least secure version of Windows ever made and a stripped down …
The Verdict Is In on Windows 10 S -- Redmondmag.com 2 comments • a month ago•
Joe — MS is really stupid putting Win 10 S on a $1,000 laptop and expecting schools to buy it. No school (at-least with intelligent …
ALSO ON REDMOND MAGAZINE
0 Comments Redmond Magazine Login1
Share⤤ Sort by Best
LOG IN WITH
OR SIGN UP WITH DISQUS
Name
Start the discussion…
?
Be the first to comment.
Subscribe✉ Add Disqus to your siteAdd DisqusAddd Privacy�
Recommend
comments powered by Disqus (http://disqus.com)
Close this Advertisement
Intro_Containers_VMs_Docker.pdf
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 1/16
Preethi Kasireddy Software/Systems Engineer with a passion for understanding things at a fundamental level and sharing … Mar 4, 2016 · 13 min read
Follow
A Beginner-Friendly Introduction to Containers, VMs and Docker
. . .
If you’re a programmer or techie, chances are you’ve at least heard of
Docker: a helpful tool for packing, shipping, and running applications
within “containers.” It’d be hard not to, with all the attention it’s
getting these days — from developers and system admins alike. Even
the big dogs like Google, VMware and Amazon are building services
to support it.
Source: https://�ipboard.com/topic/container
Images haven’t loaded yet. Please exit printing, wait for images to load, and try to print again.
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 2/16
Regardless of whether or not you have an immediate use-case in mind
for Docker, I still think it’s important to understand some of the
fundamental concepts around what a “container” is and how it
compares to a Virtual Machine (VM). While the Internet is full of
excellent usage guides for Docker, I couldn’t find many beginner-
friendly conceptual guides, particularly on what a container is made
up of. So, hopefully, this post will solve that problem :)
Let’s start by understanding what VMs and containers even are.
What are “containers” and “VMs”? Containers and VMs are similar in their goals: to isolate an application
and its dependencies into a self-contained unit that can run
anywhere.
Moreover, containers and VMs remove the need for physical
hardware, allowing for more efficient use of computing resources,
both in terms of energy consumption and cost effectiveness.
The main difference between containers and VMs is in their
architectural approach. Let’s take a closer look.
Virtual Machines A VM is essentially an emulation of a real computer that executes
programs like a real computer. VMs run on top of a physical machine
using a “hypervisor”. A hypervisor, in turn, runs on either a host
machine or on “bare-metal”.
Let’s unpack the jargon:
A hypervisor is a piece of software, firmware, or hardware that VMs
run on top of. The hypervisors themselves run on physical computers,
referred to as the “host machine”. The host machine provides the VMs
with resources, including RAM and CPU. These resources are divided
between VMs and can be distributed as you see fit. So if one VM is
running a more resource heavy application, you might allocate more
resources to that one than the other VMs running on the same host
machine.
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 3/16
The VM that is running on the host machine (again, using a
hypervisor) is also often called a “guest machine.” This guest machine
contains both the application and whatever it needs to run that
application (e.g. system binaries and libraries). It also carries an
entire virtualized hardware stack of its own, including virtualized
network adapters, storage, and CPU — which means it also has its own
full-fledged guest operating system. From the inside, the guest
machine behaves as its own unit with its own dedicated resources.
From the outside, we know that it’s a VM — sharing resources
provided by the host machine.
As mentioned above, a guest machine can run on either a hosted
hypervisor or a bare-metal hypervisor. There are some important
differences between them.
First off, a hosted virtualization hypervisor runs on the operating
system of the host machine. For example, a computer running OSX
can have a VM (e.g. VirtualBox or VMware Workstation 8) installed
on top of that OS. The VM doesn’t have direct access to hardware, so
it has to go through the host operating system (in our case, the Mac’s
OSX).
The benefit of a hosted hypervisor is that the underlying hardware is
less important. The host’s operating system is responsible for the
hardware drivers instead of the hypervisor itself, and is therefore
considered to have more “hardware compatibility.” On the other hand,
this additional layer in between the hardware and the hypervisor
creates more resource overhead, which lowers the performance of the
VM.
A bare metal hypervisor environment tackles the performance issue
by installing on and running from the host machine’s hardware.
Because it interfaces directly with the underlying hardware, it doesn’t
need a host operating system to run on. In this case, the first thing
installed on a host machine’s server as the operating system will be
the hypervisor. Unlike the hosted hypervisor, a bare-metal hypervisor
has its own device drivers and interacts with each component directly
for any I/O, processing, or OS-specific tasks. This results in better
performance, scalability, and stability. The tradeoff here is that
hardware compatibility is limited because the hypervisor can only
have so many device drivers built into it.
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 4/16
After all this talk about hypervisors, you might be wondering why we
need this additional “hypervisor” layer in between the VM and the
host machine at all.
Well, since the VM has a virtual operating system of its own, the
hypervisor plays an essential role in providing the VMs with a
platform to manage and execute this guest operating system. It allows
for host computers to share their resources amongst the virtual
machines that are running as guests on top of them.
As you can see in the diagram, VMs package up the virtual hardware,
a kernel (i.e. OS) and user space for each new VM.
Container Unlike a VM which provides hardware virtualization, a container
provides operating-system-level virtualization by abstracting the “user
Virtual Machine Diagram
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 5/16
space”. You’ll see what I mean as we unpack the term container.
For all intent and purposes, containers look like a VM. For example,
they have private space for processing, can execute commands as root,
have a private network interface and IP address, allow custom routes
and iptable rules, can mount file systems, and etc.
The one big difference between containers and VMs is that containers
*share* the host system’s kernel with other containers.
This diagram shows you that containers package up just the user
space, and not the kernel or virtual hardware like a VM does. Each
container gets its own isolated user space to allow multiple containers
to run on a single host machine. We can see that all the operating
system level architecture is being shared across containers. The only
parts that are created from scratch are the bins and libs. This is what
makes containers so lightweight.
Where does Docker come in? Docker is an open-source project based on Linux containers. It uses
Linux Kernel features like namespaces and control groups to create
containers on top of an operating system.
Container Diagram
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 6/16
Containers are far from new; Google has been using their own
container technology for years. Others Linux container technologies
include Solaris Zones, BSD jails, and LXC, which have been around for
many years.
So why is Docker all of a sudden gaining steam?
1. Ease of use: Docker has made it much easier for anyone —
developers, systems admins, architects and others — to take advantage
of containers in order to quickly build and test portable applications.
It allows anyone to package an application on their laptop, which in
turn can run unmodified on any public cloud, private cloud, or even
bare metal. The mantra is: “build once, run anywhere.”
2. Speed: Docker containers are very lightweight and fast. Since
containers are just sandboxed environments running on the kernel,
they take up fewer resources. You can create and run a Docker
container in seconds, compared to VMs which might take longer
because they have to boot up a full virtual operating system every
time.
3. Docker Hub: Docker users also benefit from the increasingly rich
ecosystem of Docker Hub, which you can think of as an “app store for
Docker images.” Docker Hub has tens of thousands of public images
created by the community that are readily available for use. It’s
incredibly easy to search for images that meet your needs, ready to
pull down and use with little-to-no modification.
4. Modularity and Scalability: Docker makes it easy to break out
your application’s functionality into individual containers. For
example, you might have your Postgres database running in one
container and your Redis server in another while your Node.js app is
in another. With Docker, it’s become easier to link these containers
together to create your application, making it easy to scale or update
components independently in the future.
Last but not least, who doesn’t love the Docker whale? ;)
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 7/16
Fundamental Docker Concepts Now that we’ve got the big picture in place, let’s go through the
fundamental parts of Docker piece by piece:
Source: https://www.docker.com/docker-birthday
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 8/16
Docker Engine
Docker engine is the layer on which Docker runs. It’s a lightweight
runtime and tooling that manages containers, images, builds, and
more. It runs natively on Linux systems and is made up of:
1. A Docker Daemon that runs in the host computer.
2. A Docker Client that then communicates with the Docker Daemon
to execute commands.
3. A REST API for interacting with the Docker Daemon remotely.
Docker Client
The Docker Client is what you, as the end-user of Docker,
communicate with. Think of it as the UI for Docker. For example,
when you do…
you are communicating to the Docker Client, which then
communicates your instructions to the Docker Daemon.
Docker Daemon
The Docker daemon is what actually executes commands sent to the
Docker Client — like building, running, and distributing your
containers. The Docker Daemon runs on the host machine, but as a
user, you never communicate directly with the Daemon. The Docker
Client can run on the host machine as well, but it’s not required to. It
can run on a different machine and communicate with the Docker
Daemon that’s running on the host machine.
Docker�le
A Dockerfile is where you write the instructions to build a Docker
image. These instructions can be:
RUN apt-get y install some-package: to install a software
package
EXPOSE 8000: to expose a port
•
•
1
2 docker build iampeekay/someImage .
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 9/16
ENV ANT_HOME /usr/local/apache-ant to pass an
environment variable
and so forth. Once you’ve got your Dockerfile set up, you can use the
docker build command to build an image from it. Here’s an example
of a Dockerfile:
•
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 10/16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Start with ubuntu 14.04
FROM ubuntu:14.04
MAINTAINER preethi kasireddy [email protected]
# For SSH access and port redirection
ENV ROOTPASSWORD sample
# Turn off prompts during installations
ENV DEBIAN_FRONTEND noninteractive
RUN echo "debconf shared/accepted‐oracle‐license‐v1‐1 select true"
RUN echo "debconf shared/accepted‐oracle‐license‐v1‐1 seen true"
# Update packages
RUN apt‐get ‐y update
# Install system tools / libraries
RUN apt‐get ‐y install python3‐software‐properties \
software‐properties‐common \
bzip2 \
ssh \
net‐tools \
vim \
curl \
expect \
git \
nano \
wget \
build‐essential \
dialog \
make \
build‐essential \
checkinstall \
bridge‐utils \
virt‐viewer \
python‐pip \
python‐setuptools \
python‐dev
# Install Node, npm
RUN curl ‐sL https://deb.nodesource.com/setup_4.x | sudo ‐E bash ‐
RUN apt‐get install ‐y nodejs
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 11/16
Docker Image
Images are read-only templates that you build from a set of
instructions written in your Dockerfile. Images define both what you
want your packaged application and its dependencies to look like
*and* what processes to run when it’s launched.
The Docker image is built using a Dockerfile. Each instruction in the
Dockerfile adds a new “layer” to the image, with layers representing a
portion of the images file system that either adds to or replaces the
layer below it. Layers are key to Docker’s lightweight yet powerful
structure. Docker uses a Union File System to achieve this:
Union File Systems
Docker uses Union File Systems to build up an image. You can think
of a Union File System as a stackable file system, meaning files and
directories of separate file systems (known as branches) can be
transparently overlaid to form a single file system.
The contents of directories which have the same path within the
overlaid branches are seen as a single merged directory, which avoids
the need to create separate copies of each layer. Instead, they can all
be given pointers to the same resource; when certain layers need to be
modified, it’ll create a copy and modify a local copy, leaving the
original unchanged. That’s how file systems can *appear* writable
without actually allowing writes. (In other words, a “copy-on-write”
system.)
42
43
44
45
46
47
48
49
50
51
52
53
54
RUN apt‐get install ‐y nodejs
# Add oracle‐jdk7 to repositories
RUN add‐apt‐repository ppa:webupd8team/java
# Make sure the package repository is up to date
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe"
# Update apt
RUN apt‐get ‐y update
# Install oracle‐jdk7
RUN apt‐get ‐y install oracle‐java7‐installer
Sample Docker�le
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 12/16
Layered systems offer two main benefits:
1. Duplication-free: layers help avoid duplicating a complete set of
files every time you use an image to create and run a new container,
making instantiation of docker containers very fast and cheap.
2. Layer segregation: Making a change is much faster — when you
change an image, Docker only propagates the updates to the layer
that was changed.
Volumes
Volumes are the “data” part of a container, initialized when a
container is created. Volumes allow you to persist and share a
container’s data. Data volumes are separate from the default Union
File System and exist as normal directories and files on the host
filesystem. So, even if you destroy, update, or rebuild your container,
the data volumes will remain untouched. When you want to update a
volume, you make changes to it directly. (As an added bonus, data
volumes can be shared and reused among multiple containers, which
is pretty neat.)
Docker Containers
A Docker container, as discussed above, wraps an application’s
software into an invisible box with everything the application needs to
run. That includes the operating system, application code, runtime,
system tools, system libraries, and etc. Docker containers are built off
Docker images. Since images are read-only, Docker adds a read-write
file system over the read-only file system of the image to create a
container.
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 13/16
Moreover, then creating the container, Docker creates a network
interface so that the container can talk to the local host, attaches an
available IP address to the container, and executes the process that
you specified to run your application when defining the image.
Once you’ve successfully created a container, you can then run it in
any environment without having to make changes.
Double-clicking on “containers” Phew! That’s a lot of moving parts. One thing that always got me
curious was how a container is actually implemented, especially since
there isn’t any abstract infrastructure boundary around a container.
After lots of reading, it all makes sense so here’s my attempt at
explaining it to you! :)
The term “container” is really just an abstract concept to describe how
a few different features work together to visualize a “container”. Let’s
run through them real quick:
1) Namespaces
Namespaces provide containers with their own view of the underlying
Linux system, limiting what the container can see and access. When
Source: Docker
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 14/16
you run a container, Docker creates namespaces that the specific
container will use.
There are several different types of namespaces in a kernel that
Docker makes use of, for example:
a. NET: Provides a container with its own view of the network stack of
the system (e.g. its own network devices, IP addresses, IP routing
tables, /proc/net directory, port numbers, etc.).
b. PID: PID stands for Process ID. If you’ve ever ran ps aux in the
command line to check what processes are running on your system,
you’ll have seen a column named “PID”. The PID namespace gives
containers their own scoped view of processes they can view and
interact with, including an independent init (PID 1), which is the
“ancestor of all processes”.
c. MNT: Gives a container its own view of the “mounts” on the
system. So, processes in different mount namespaces have different
views of the filesystem hierarchy.
d. UTS: UTS stands for UNIX Timesharing System. It allows a process
to identify system identifiers (i.e. hostname, domainname, etc.). UTS
allows containers to have their own hostname and NIS domain name
that is independent of other containers and the host system.
e. IPC: IPC stands for InterProcess Communication. IPC namespace is
responsible for isolating IPC resources between processes running
inside each container.
f. USER: This namespace is used to isolate users within each
container. It functions by allowing containers to have a different view
of the uid (user ID) and gid (group ID) ranges, as compared with the
host system. As a result, a process’s uid and gid can be different inside
and outside a user namespace, which also allows a process to have an
unprivileged user outside a container without sacrificing root privilege
inside a container.
Docker uses these namespaces together in order to isolate and begin
the creation of a container. The next feature is called control groups.
2) Control groups
Control groups (also called cgroups) is a Linux kernel feature that
isolates, prioritizes, and accounts for the resource usage (CPU,
memory, disk I/O, network, etc.) of a set of processes. In this sense, a
cgroup ensures that Docker containers only use the resources they
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 15/16
need — and, if needed, set up limits to what resources a container
*can* use. Cgroups also ensure that a single container doesn’t exhaust
one of those resources and bring the entire system down.
Lastly, union file systems is another feature Docker uses:
3) Isolated Union �le system:
Described above in the Docker Images section :)
This is really all there is to a Docker container (of course, the devil is
in the implementation details — like how to manage the interactions
between the various components).
The Future of Docker: Docker and VMs Will Co-exist While Docker is certainly gaining a lot of steam, I don’t believe it will
become a real threat to VMs. Containers will continue to gain ground,
but there are many use cases where VMs are still better suited.
For instance, if you need to run multiple applications on multiple
servers, it probably makes sense to use VMs. On the other hand, if you
need to run many *copies* of a single application, Docker offers some
compelling advantages.
Moreover, while containers allow you to break your application into
more functional discrete parts to create a separation of concerns, it
also means there’s a growing number of parts to manage, which can
get unwieldy.
Security has also been an area of concern with Docker containers —
since containers share the same kernel, the barrier between
containers is thinner. While a full VM can only issue hypercalls to the
host hypervisor, a Docker container can make syscalls to the host
kernel, which creates a larger surface area for attack. When security is
particularly important, developers are likely to pick VMs, which are
isolated by abstracted hardware — making it much more difficult to
interfere with each other.
Of course, issues like security and management are certain to evolve
as containers get more exposure in production and further scrutiny
7/29/2017 A Beginner-Friendly Introduction to Containers, VMs and Docker
https://medium.freecodecamp.org/a-beginner-friendly-introduction-to-containers-vms-and-docker-79a9e3e119b 16/16
from users. For now, the debate about containers vs. VMs is really best
off to dev ops folks who live and breathe them everyday!
Conclusion I hope you’re now equipped with the knowledge you need to learn
more about Docker and maybe even use it in a project one day.
As always, drop me a line in the comments if I’ve made any mistakes
or can be helpful in anyway! :)
