Virtualization and Containers

Motivation

  • Modern applications must be portable, scalable, and reproducible.
  • Different hardware, operating systems, and environments complicate development and deployment.
  • Virtualization solves differences between environments.

Model example

  • A developer writes an application on her MacBook.
  • The application runs on a Linux server in the cloud.
  • Without virtualization, she would need to handle differences between OS, libraries, and hardware.
  • With virtualization, she can create a consistent environment for development and production.

What is virtualization

Virtualization is a layer between physical hardware and the application that allows software to be decoupled from specific hardware.

It enables:

  • better infrastructure management,
  • simpler development,
  • easier application deployment.

Virtualization (VMs)

A virtualization layer (hypervisor) separates guest operating systems from the physical hardware.

+------------------+
| Guest OS + App   |
+------------------+
| Hypervisor       |
+------------------+
| Hardware         |
+------------------+

Hypervisors: Type-1 vs Type-2

  • Type-1 (bare-metal): runs directly on the hardware.
  • Type-2 (hosted): runs as an application on top of a host OS.

Type-1 (bare-metal) hypervisor

+------------------+
| VM: Guest OS+App |
+------------------+
| Hypervisor       |
+------------------+
| Hardware         |
+------------------+

Examples: VMware ESXi, Xen, Hyper-V, KVM (in Linux), Proxmox

Type-2 (hosted) hypervisor

+------------------+
| Guest OS + App   |
+------------------+
| Hosted hypervisor|
+------------------+
| Host OS          |
+------------------+
| Hardware         |
+------------------+

Examples: VirtualBox, VMware Workstation/Fusion, Parallels

Types of virtualization

Full virtualization (VM)

  • Each application runs in its own operating system. Strong isolation.
  • Higher overhead.

Paravirtualization

  • Guest OS is aware of virtualization and uses hypercalls / paravirtualized drivers (e.g., virtio).
  • Can reduce overhead, but may require guest changes or special drivers.

OS-level virtualization

  • Shared host OS kernel, Isolated processes.
  • Foundation of containers.

Virtual Machine (VM)

A virtual machine creates a completely separate environment:

  • own OS,
  • own kernel,
  • virtual CPU, RAM, disk, network.

Advantages

  • Strong isolation. Ability to run different OS.

Disadvantages

  • Slow startup. Large resource consumption.

Why containers

Virtual machines are:

  • heavy,
  • slow to start,
  • demanding to manage.

Containers emerged as a lighter alternative to VMs.

Containers

A container:

  • is an isolated process,
  • uses the host OS kernel,
  • bundles the application and its dependencies.

A container is not a virtual machine.

Docker

Docker is a platform for:

  • building containers,
  • distributing applications,
  • running containers.

It uses OS-level virtualization.

Containers: OS-level virtualization

  • Implemented mainly with Linux namespaces (isolation) and cgroups (resource limits).
  • A container is an isolated process tree that shares the host kernel.
+------------------+
| App (container)  |
+------------------+
| Container runtime|
| (namespaces,cg.) |
+------------------+
| Linux kernel     |
+------------------+
| Hardware         |
+------------------+

Docker architecture

  +----------+
  | registry |   Docker Hub
  +----------+
       ||         (image)
  +----------+
  |  daemon  |   Host machine
  +----------+
       ||         (protocol)
  +------------+
  | cli client |   Host or manager machine
  +------------+

Docker client

The docker command in the command line.

  • runs on any OS.
  • communicates with the docker daemon using its own protocol.
  • we can use it to control the daemon – check and manage containers.

Docker daemon

  • runs on Linux; on macOS/Windows it typically runs inside a lightweight Linux VM (Docker Desktop).
  • manages running containers, starts or stops them as instructed.

Starting a container

docker run --rm -p 8080:80 nginx
  • pulls the image from a registry (if not present locally),
  • creates a container,
  • starts the application,
  • maps host port 8080 → container port 80,
  • removes the container after it stops (--rm).

Dockerfile

A Dockerfile defines how an image is built.

Example:

FROM ubuntu:22.04
RUN apt-get update && apt-get install -y nginx && rm -rf /var/lib/apt/lists/*
CMD ["nginx", "-g", "daemon off;"]

An image is composed of layers:

  • RUN, COPY, ADD typically create filesystem layers (cached, immutable).
  • CMD/ENTRYPOINT set image metadata (do not add a filesystem layer).

Layers (simplified)

Base image
+------------------+
| ubuntu:22.04     |
+------------------+
RUN ... (adds a layer)
+------------------+
| + nginx files    |
+------------------+
CMD ... (metadata)

Filesystem and state

Containers are ephemeral: the writable layer is disposable and can be recreated at any time.

Application state (data) must be stored outside the container:

  • volumes,
  • bind mounts,
  • databases,
  • object storage.

Persistent data (volumes and bind mounts)

Examples:

# bind mount (host path → container path)
docker run --rm --mount type=bind,src=/srv/site,dst=/usr/share/nginx/html,ro -p 8080:80 nginx

# named volume (managed by Docker)
docker run --rm --mount type=volume,src=site-cache,dst=/cache busybox true
  • keep application and data separate,
  • bind mounts depend on the host filesystem,
  • named volumes are portable across container restarts.

Networking in Docker

Port mapping:

docker run -p 8080:80 nginx
  • port 8080 on the host → port 80 in the container.

Types of networks:

  • bridge,
  • host,
  • none.

Image vs Container

  • Image – immutable application image
  • Container – running instance of an image

Virtualization vs Docker

VM Docker (containers)
own OS/kernel shared kernel
slow start fast start
higher overhead lower overhead

VMs vs containers: isolation boundary

  • VM: isolation via hypervisor; separate kernel; can run a different OS.
  • Container: isolation via namespaces/cgroups; shares the host kernel (cannot run a different kernel).
  • Security depends heavily on the host kernel and container hardening.

When to use Docker

  • local development,
  • CI/CD pipelines,
  • microservices,
  • cloud deployment.

Docker limitations (without an orchestrator)

  • typically single-host scope,
  • manual scaling and limited scheduling,
  • no built-in self-healing / high availability across nodes.

Next step:

  • Docker Compose: multi-container apps on one host
  • Kubernetes (or Swarm): multi-node orchestration, scaling, HA

Summary

  • Virtualization solves differences between environments.
  • Containers are a lighter alternative to VMs.
  • Docker is the standard for containerizing applications.
  • Foundation for modern cloud and DevOps.
Reload?