Chapter 5. Virtual Machines

Containers are often compared with virtual machines (VMs), especially in terms of the isolation that they offer. Let’s make sure you have a solid understanding of how VMs operate so that you can reason about the differences between them and containers. This will be particularly useful when you want to assess the security boundaries around your applications when they run in containers, or in different VMs. When you are discussing the relative merits of containers from a security perspective, understanding how they differ from VMs can be a useful tool.

This isn’t a black-and-white distinction, really. As you’ll see in Chapter 8, there are several sandboxing tools that strengthen the isolation boundaries around containers, making them more like VMs. If you want to understand the security pros and cons of these approaches, it’s best to start with a firm understanding of the difference between a VM and a “normal” container.

The fundamental difference is that a VM runs an entire copy of an operating system, including its kernel, whereas a container shares the host machine’s kernel. To understand what that means, you’ll need to know something about how virtual machines are created and managed by a Virtual Machine Monitor (VMM). Let’s start to set the scene for that by thinking about what happens when a computer boots up.