Docker vs Virtual Machines

The virtualization of physical hardware resources has been one of the most promising trends of the 21st century. There has been a silent agreement that modern computing needs to move beyond the confines of physical hardware.

As two of the most popular virtual resource solutions on the market, Docker and virtual machines (VM) have been instrumental in driving the transition towards virtualized resource management.

However, many people are stuck with which choice to go with. Depending on who you ask, Docker and virtual machines each have their own distinct advantages. In this article, we’re going to look at the Docker vs virtual machines debate to see which advantages each can bring to your organization.

What is Docker?

Docker is an open source tool that uses containers to create, deploy, and manage distributed applications. Developers use containers to create packages for applications that include all the core components (like libraries) that are needed to run the application in isolation. Tying off the container from the machine it’s running on ensures that the application will run even if users are running custom settings on their Linux machine, and serves to minimize the use of computer resources.

Ever since Docker was released in 2014 it has achieved a critically-acclaimed status. Many organizations opt to use Docker over virtual machines because of the performance benefits it has to offer. Today companies like Visa and PayPal have deployed Docker to help to manage their applications.

What is a Virtual Machine?

A virtual machine is a file (often called a hypervisor) that acts as a physical computer. A virtual machine uses the physical resources of the device it is operating on to replicate the environment of a physical device. Just like any other program, the virtual machine has its own window on your device. You can run multiple virtual machines on one device.

While a virtual machine uses the computer’s resources to function it actually provides its own virtual hardware. The virtual hardware of a virtual machine includes CPU, memory, hard drives, and network interfaces. To keep the computer efficient, this virtual hardware is then mapped to the physical hardware of the device.

Virtual machines are isolated from the system of the physical device and operate within a sandbox. In other words, a virtual machine is entirely self-contained. This makes them ideal for creating backups and running software. The most popular products on the market are VMWare and VirtualBox.

Why do I need to Use Docker?

One of the main reasons companies use Docker is as an alternative to virtual machines. Docker is used as an alternative because they are more lightweight in terms of resources than virtual machines. Containers share operating systems whereas virtual machines are designed to emulate virtual hardware. By sharing operating systems, Docker applications can run while consuming a fraction of the resources of a virtual machine.

Docker uses the Docker engine that resides over one Linux instance rather than the virtual resource intensive machines used by virtual machines. This structure means that Docker containers have the potential to sustain over five times the amount of server application instances you could with a virtual machine. Docker’s widespread adoption has also been aided by the fact that developers can add their own code to customize and deploy lean applications. These applications can then be deployed straight onto machines or in the cloud.

Why Do I Need a Virtual Machine?

Though Docker has the edge with regards to its resource footprint, virtual machines remain incredibly important to modern organizations. They still provide a reliable means to limit the costs that come with physical hardware. Virtualizing your infrastructure with virtual machines makes for more efficient use of your network resources. For example, you don’t have to fork out the power and fan resources to sustain a virtual machine the way you would a physical computer.

You can also provision resources much more efficiently with virtual machines. Virtual machines can be migrated from physical server to server to ensure that computing resources are being spread out evenly among devices. Administrators can juggle virtual machines about so that physical storage and processing capabilities are allocated evenly between multiple machines.

Virtual machines also decrease the risk of your infrastructure failing. Whereas a physical device can face performance degradation and fail over time, virtual hardware can’t. As a consequence, many administrators have started to use virtual machines as a disaster recovery solution and to back up their data.

Related post: Best Docker Monitoring Tools

Docker vs Virtual Machines Head to Head

VMContainer
Less Efficient More Efficient
VMs run their own OS Containers share a host OS
Hardware Virtualization
OS Virtualization
More secure (segregated)
Less secure (Process-level isolation)

Performance

As you can see, Docker does have some inherent advantages delivered by its structure. One container can share a kernel and application libraries in a way that virtual machines can’t. Likewise, Docker requires less computing resources than virtual machines which delivers a better experience inside the application.

In real-time Docker is less resource-intensive and can start up much quicker than virtual machines. The reason is that virtual machines have to load up an OS with each startup. Similarly, you don’t need to allocate resources to containers as you do with virtual machines.

Management

In terms of management, each of these technologies offers a more flexible approach toward resource provisioning. However, both of these technologies still need to be managed effectively in order to function well within your environment. With container technology, it comes down to managing security concerns and making sure that the shared operating system doesn’t encounter any faults.

With virtual machines, the complexity comes down to managing virtual resources. For example, you need the bandwidth and processing capacity to support virtual machines (particularly if you’re running multiple virtual machines on one device). If you don’t allocate the necessary resources then the virtual machines aren’t going to run effectively.

The administrator also needs to take into account how they reconcile virtual machine usage with the resources available throughout the network. While being able to move virtual machines is great for using resources more efficiently, it brings with it the need to make sure that resources are spread out evenly. This is also true of Docker but is less of an issue due to its lightweight performance.

Of course, even if you manage your resources perfectly there are still a number of risks associated with virtual machines. There is the risk of exceeding available resources or a single hardware failure wiping out a bunch of virtual machines in one go. This puts extra pressure on the administrator to stay on top of every little usage detail. This problem isn’t unique to virtual machines but it is certainly more of a problem for them than it is for Docker containers.

Portability

The portability of each technology is relevant to those looking to optimize networking resources. Docker containers are self-contained packages that run the required application. Docker containers can be ported easily because they don’t have separate OS’s. Once they have been ported they can start up in a matter of seconds making them the more portable alternative.

In contrast, virtual machines aren’t as portable because they each have their own OS. This makes them cumbersome as the OS can’t be ported to another platform and function well. In environments where you need to deploy a variety of applications on different problems, you’re better off with Docker. The segregation of the operating system from the host device’s operating system makes sure that the applications can run without any unnecessary interruptions.

Security

One of the key areas of dispute between support of virtual machines and Docker is on which setup is more secure. This is a particularly complex area because there are many factors to discuss from the innate vulnerabilities of Docker to the single point of failure of a virtual machine’s hypervisor. In this section, we’re going to look at the two greatest threats to the security of each of these technologies.

OS Segregation

Both Docker and virtual machines segregate applications from one another.  This means that if one application is compromised then it can’t affect other applications. In theory, this provides the perfect protection but Docker has one underlying problem; all applications share one operating system. If the operating system is breached from a compromised application then an attack could affect all containers at once.

Virtual machines stave off this problem by keeping the OS used to control the application separate from the hypervisor that interacts with the hardware. There is an OS that the user can interact with to use the application but it doesn’t allow them to interact with hardware. This means that if an application has a fault then it is extremely unlikely to have an adverse effect on the host system’s hardware.

In this sense, virtual machines offer more security against OS faults and security breaches than Docker containers. The model of application separation that Docker uses to optimize resource usage comes at the cost of security. Virtual machines have the advantage because they keep the OS separate from the hardware to minimize any risk of damage.

Single Point of Failure: Hypervisor

However, just because virtual machines are more secure in terms of application separation doesn’t mean they aren’t without their own vulnerabilities. In virtual machines hypervisors are a single point of failure. If the hypervisor fails then a ton of applications could go down in one fell swoop. This means that if a cyber attacker wanted to damage your network then they could send malware to the VM.

In comparison, Docker containers have no single point of failure. Though the single point of failure has the potential to leave applications vulnerable, hypervisors are very difficult to breach. While a cyber attacker could breach a hypervisor it is very unlikely due to the complexity of code used. At this point, hypervisor failure is more of a potential area of insecurity than a widely-exploited entry point.

Cost

The cost of Docker and virtual machines is another area that’s difficult to measure. 451 Research suggests that containers have a lower TCO or total cost of ownership than hardware virtualization. The reason behind this is that Docker containers use resources more efficiently. Every virtual machine has its own operating system which needs to be sustained by the host system. This requires computing resources that drive up the long-term physical hardware costs.

Docker eliminates this problem by using one operating system for all of its applications. Containers share one OS in an attempt to minimize the resource requirements. When running multiple applications this is particularly relevant because you could run many different applications with just one operating system. By comparison, virtual machines would have an operating system for each application which means that there are more resources that you need to pay for.

The direct cost savings of Docker containers are difficult to measure, but there are a number of factors to take into account. You will be able to get more mileage out of your current network infrastructure with containers than with virtual machines. Likewise, if you need to upscale then you can do so with fewer resources while consuming more power to sustain virtual machines.

Which One Should I Use and When?

While Docker has the advantage with respect to efficiency and performance, don’t make the mistake of thinking that containers are inherently better than virtual machines. Docker and virtual machines have their own advantages in certain situations. Determining whether an application is placed within a container or a virtual machine depends entirely on your usage requirements. In this section, we’re going to look at how to choose between the two.

Application Type

The first factor you should consider when making your choice is the type of application that you wish to deploy. Containers are designed to sustain applications that aren’t related to the host operating system. Docker containers are for those applications you want to run irrespective of the infrastructure of the host system. This means that if you want to sustain embedded systems that integrate more closely with the host device, you’re better off opting for a virtual machine.

Size

The next factor you should take into account when choosing between the two is the size of your application. The amount of computing resources your application needs to run effectively will determine which you need to choose. If you’re looking to sustain applications that only need one machine to run on a computer like microservices then a Docker container would be the more natural choice. In contrast, a virtual machine would be the better choice for high priority services like databases.

Use Cases

Use Case
DockerVirtual Machine
InfrastructureNoYes
Container Environment Hosts NoYes
DatabasesNoYes
Legacy Apps YesNo
MicroservicesYesNo
Web ApplicationsYesNo

As you can see, virtual machines have the advantage in three main use cases: infrastructurecontainer environment hosts, and databases. The main area is with infrastructure. Virtual machines can create network infrastructure in the form of routers and firewalls in a way that isn’t possible with Docker. Virtual machines have the ability to interact at the virtual hardware level and enable the user to make changes to infrastructure. Virtual machines are often used as container hosts due to their ability to interact with hardware.

On the other hand, Docker offers a lightweight way to deploy legacy apps in almost any environment. Having the libraries contained alongside the application makes them easy to deploy. Microservices are also ideal for Docker because the simple structure of containers lends well to applications with one core task (as opposed to an application with many different responsibilities).

Docker vs Virtual Machines: Greater Together

Though Docker and virtual machines have their advantages over hardware devices, Docker is the more efficient of the two in terms of resource utilization. If two organizations were completely identical and running the same hardware, then the company using Docker would be able to sustain more applications. Docker’s ability to manage and deploy applications is simply miles beyond that of virtual machines.

Ultimately this comes down to the internal architecture of virtual machines. Emulating physical infrastructure may be more lightweight than a hardware device, but there is still too much fat to keep up with Docker. Undoubtedly both of these technologies need to be managed with care in order to maximize effectiveness.

However, don’t get caught up in writing off virtual machines completely. Combining the two together allows you to cover a range of use cases and allows you to keep your virtual resources as flexible as possible. You can enjoy the security of virtual machines on particularly important applications and the low computing requirements of Docker as well.

Docker vs VM FAQ

What are the differences between a VM image and a Docker image?

Docker shares the host’s OS whereas a VM contains an installation of the OS. A Docker image is a read-only template that is used to build the container. A virtual machine image is a template that is used to create a VM. The VM image includes the OS but the Docker image does not.

What is more secure, a Virtual Machine image or a Docker image?

In general, virtual machines are more secure than containers because they include the operating system so there is no way that an intruder can get into the VM through a routine written, say, in PowerShell, getting into the VM’s space. Docker containers, on the other hand, use the host OS and so there is a channel that hackers can use to get into them. As both VM and Docker images are read-only, they cannot be tampered with and so are equally secure.

Can I run Docker in a VM?

It is possible to use Docker in a VM. In truth, Docker is a Linux system and in order to get it available for Windows, the creators of Docker included a Linux VM. So, Docker already runs on a VM when operating on Windows and you probably wouldn’t get any further benefits by putting it in another layer of virtualizations. If your VM has a Windows guest OS, you might run into efficiency problems because you would get a Linux VM on top of that automatically to get Docker to work.

See also: VM Monitoring Tools and Software