What is the difference between a process, a container, and a VM?

“What is the difference between a process and a container?”

  1. What problem does each technology solve; how does the end user/end system interact with it. This addresses how “containers are like a VM”.
  2. How the implementation of the technology differs. Mainly looking deeper into how each technology is isolated from the operating system. This addresses how “containers are not like a VM”.

Overview

  • What is a process, why do we need them.
  • What is a container, what are they used for.
  • What is a virtual machine, what are their use cases.
  • Compare a process to a container to a virtual machine.

What is a process?

  1. A process gets its own memory space.
  2. A process has restricted privileges. A process gets the same privileges as the user that created the process.

What is a container?

  • namespaces = Namespaces are the feature that make the container look and feel like it is an entirely separate machine.
  • cgroups = A way to group processes together in the kernel and limit resources for that grouping. These were developed at Google in 2006 and were first called “process containers”.
  • capabilities = A list of the superuser privileges that can be enabled or disabled for a process.

A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

  1. cgroups — isolates the root directory
  2. IPC — isolates interprocess communication
  3. Network — isolates the network stack
  4. Mount — isolates mount points
  5. PID — isolates process IDs
  6. User — isolates User and Group IDs
  7. UTS — isolates hostnames and domain names

What is a virtual machine (VM)?

Process vs Container vs VM

  • Processes have little default isolation at the operating system (OS) level, mainly they only have isolated memory space and user privileges.
  • A container is a process (or a groups of processes), but with more isolation from the OS than your run-of-the-mill process. BUT with less isolation than a VM, which comes with the tradeoff of less security.
  • Virtual Machines have full isolation at the OS level, meaning they create a complete new operating system on top of the host’s hardware. The full isolation comes at the tradeoff of more resource usage to run a VM.
  • Process: CPU needs a construct to store state about running programs, that is what a process is.
  • Containers: Create isolated environments to run applications.
  • VMs: Provides a way to run different operating systems on the same host machine and in turn run many applications in fully isolated environments.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store