Skip to content

Container vs VM

Mental model

VM = separate house with its own foundation. Container = apartment in a shared building.

What it looks like

Both seem to give you an isolated environment where you run software independently from anything else on the machine.

What it really is

VM: runs a full guest OS with its own kernel on emulated or virtualized hardware. A hypervisor (Type 1 or Type 2) sits between the guest OS and the physical hardware.

Container: a normal host process with namespace isolation, cgroup resource limits, and a layered filesystem. It shares the host kernel.

Why it seems confusing

Containers "look" isolated like VMs. You get your own filesystem, network stack, and process tree. But there is no guest kernel. The host kernel is doing all the work.

What actually matters

  • VMs isolate at the hardware level. Containers isolate at the OS level.
  • Containers start faster (no boot sequence), use less memory (no guest kernel), but provide weaker isolation (shared kernel).
  • A kernel vulnerability in a container can affect the host. A kernel vulnerability in a VM guest usually cannot.
flowchart TD
    subgraph VM["Virtual Machine"]
        VA["App"] --> VL["Guest Libraries"]
        VL --> VK["Guest Kernel"]
        VK --> HV["Hypervisor"]
        HV --> HW1["Hardware"]
    end

    subgraph Container["Container"]
        CA["App"] --> CL["Container Libraries"]
        CL --> NS["Namespaces + cgroups"]
        NS --> HK["Host Kernel"]
        HK --> HW2["Hardware"]
    end

    style VK fill:#f80,color:#fff
    style HK fill:#5a5,color:#fff

Common mistakes

  • Assuming containers are as strongly isolated as VMs.
  • Running containers as root and treating the boundary as a security perimeter.
  • Thinking Docker "boots" something. It starts a process.

Small examples

# docker run starts a process, not a machine
docker run --rm alpine echo "hello"

# top inside a container can show host PIDs with --pid=host
docker run --rm --pid=host alpine ps aux

Compare/contrast summary:

Property VM Container
Kernel Separate guest Shared host
Isolation Strong (HW) Process-level (OS)
Start time Seconds–minutes Milliseconds–seconds
Overhead High (full OS) Low (shared kernel)

One-line summary

A VM runs its own kernel on virtual hardware; a container is a host process with namespace isolation sharing the host kernel.