Frequently Asked Question

How is a container different from a virtual machine?

A virtual machine is a complete simulated computer with its own kernel, its own bootloader, its own block devices, running on top of a hypervisor that owns the real hardware. The guest kernel does not trust and is not trusted by anything outside the VM. A container has none of that. There is exactly one kernel, the host's, and a container is a process given a curated view of it through namespaces and cgroups. The container "image" is just a tar of files that becomes the process's root filesystem; no kernel, no bootloader, no init in the traditional sense.

The practical consequences are stark. A VM image is gigabytes because it ships an operating system; a container image is megabytes to hundreds of megabytes because it ships only the application and its libraries. A VM takes tens of seconds to boot because it cold-starts a kernel; a container takes milliseconds because the kernel is already running. A VM gives you hardware-enforced isolation strong enough to host mutually distrusting tenants; a container gives you kernel-enforced isolation strong enough to keep cooperating services out of each other's way. Many serious deployments use both: containers inside VMs gets you fast packaging with hypervisor-grade isolation between trust domains.