A middle ground is finally forming in the debate over whether to use containers or virtual machines for virtualization, triggered by the launch of new applications that combine the best aspects of both.
Virtual machines, or VMs, are all a form of software that mimics the characteristics of hardware. They work in sets controlled by a hypervisor, which is a virtual version of a supervisor (hence the name). VMs in the same set operate independently from one another, which creates the source of their appeal: a reliable level of security. Malware and application crashing on one VM cannot spread to the others because each operates as if it were alone in the system.
The hypervisor controlling the VMs, likes VMware ESXi, is installed directly onto hardware rather than the host operating system, providing the necessary layer of abstraction.
Container technology offers an alternative method for virtualization and uses a single operating system on a host to run many different applications from the cloud. With containers, a host operating system is installed on the system first, and then a container layer, usually a variant of Linux, is installed on top of the host system. Though significantly faster than VMs and offering better performance, nonetheless containers are more liable to face risk.
For some time, developers have been looking for ways to combine the security advantages of virtual machines with the speed and manageability of container technologies. A recent announcement from Kata Containers indicates that finally a fundamental shift has happened.
Kata Containers is an open source project provided by the OpenSource Foundation targeted at containers running within VMs. Hardware agnostic and compatible with standard container interfaces, it offers the ability to run container management tools directly on hardware without sacrificing workload isolation. Compared with running containers on virtualized infrastructure, the standard practice today, it provides increased performance, faster boot time and reduced costs.
Intel is contributing its Intel Clear Containers technology, and Hyper is contributing runV technology to initiate the project. Designed to run on multiple hypervisors and be compatible with the OCI specifications for Docker containers and CRI for Kubernetes, Kata Containers will initially comprise six components, including the Agent, Runtime, Proxy, Shim, Kernel and packaging of QEMU 2.9.