Container Virtualization: What Makes It Work So Well?

Various implementations of container virtualization (including Docker) are filling compute roles once reserved for hypervisor virtualization.

Increasing demand for efficient and secure application portability across environments and operating systems has forced the industry to look for more powerful virtualization designs.
While the hypervisor virtualization model is still used to successfully deploy countless applications across the full range of environments, it does suffer from certain built-in limitations, including…

  • Increased overhead of running a fully installed guest operating system.
  • Inability to freely allocate resources to processes.
  • Significant overhead from calls to the hypervisor from the guest OS can sometimes reduce application performance.

Container virtualization exists largely to address some of these challenges.

What is container virtualization and how does it work differently than hypervisor virtualization?

Container virtualization (often referred as operating system virtualization) is more than just a different kind of hypervisor. Containers use the host operating system as their base, and not the hypervisor.

Rather than virtualizing the hardware (which requires full virtualized operating system images for each guest), containers virtualize the OS itself, sharing the host OS kernel and its resources with both the host and other containers. If you want to deepen your understanding of the pros and cons of server virtualization, here’s a full explanation.

Hypervisor vs. Container virtualization designHypervisor vs. Container virtualization design


Containers provide the bare essentials required for any application to run on a host OS. You could think of them as stripped down Virtual Machines running just enough software to deploy an application.

Many applications – like database servers which work best using block storage – require direct access to hardware resources. Getting that access to disks and network devices through a hypervisor’s hardware emulation will often negatively affect their performance. Container virtualization helps by simply bypassing the emulation layer. As you can see in the above image, containers use the same server hardware and an operating system on top of it, but no hypervisor above that.

What, then, provisions a virtual machine and allocates resources for it? What, in other words, plays the role of the hypervisor for translating VM requests to the underlying hardware?

Technically, the Linux kernel itself has no clue that there are containers living upstairs, but containers can nevertheless share kernel resources through features like Namespaces, cgroups, and chroot. These allow containers to isolate processes, fully manage resources, and ensure appropriate security.

Let’s learn some more about those three tools:

  • Namespaces are a way for Linux systems to wrap a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

Namespaces, in other words, provide processes with a virtual view of their operating environments. So if your process doesn’t actually require all of the properties of a parent process, and can get by with nothing more than a host name, mount point, network, PID, or its own set of users, then namespaces can get the job done.

If namespaces help processes to get to their environment, chroot can isolate those namespaces from rest of the system and thereby protect against attacks or interference from other containers on the same host. Using namespaces and chroot, you can create a logical container with its own view of the system, but you’ll also need to allocate resources to your new container. This can be done by using cgroups. cgroups (an abbreviation of “control groups”) is a Linux kernel feature that limits, accounts for, and isolates the use of resources like CPU, memory, disk I/O, and network, from of a collection of processes.

It’s these three ingredients that create the magic of container virtualization. The basic architecture is currently used in quite a collection of implementations, the most famous of which is probably Docker.

Now that we’ve got some idea of how they work, let’s review some of the elements that, at least in many scenarios, give the container virtualization its advantage:

  • Containers, compared to hypervisor virtualization, are more likely to be secure as, by design, their applications are logically restricted to their own environment.
  • Containers provide significantly better performance, as they use native, rather than emulated resources.
  • Launching a container is much faster than a virtual machine.
  • Containers offer better control on underlying resources.

After this introduction to the technology’s principles, you might like to try Cloud Academy’s Introduction to Virtualization Technologies.

For a full list of all learning material dedicated to containers, browse Cloud Academy’s library. 

And feel free to join in by adding your comments below.


Written by

Vineet Badola

Working as a cloud professional for last 6 years in various organizations, I have experience in three of the most popular cloud platforms, AWS IaaS, Microsoft Azure and Pivotal Cloud Foundry PaaS platform. Having around 10 years of IT experience in various roles and I take great interest in learning and sharing my knowledge on newer technologies. Wore many hats as developer, lead, architect in cloud technologies implementation. During Leisure time I enjoy good soothing music, playing TT and sweating out in Gym. I believe sharing knowledge is my way to make this world a better place.

Related Posts

— September 5, 2018

The Benefits Of Cloud Containers

Before getting into a discussion on the benefits of cloud containers, it may be beneficial for some readers if we explain what cloud containers are, as they have developed into more than the latest “buzzword” and are changing the way in which many businesses deploy resources in the clou...

Read more
  • Containers
Tyler Stearns
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • Serverless
Michael Sheehy
— October 14, 2015

Azure Container Service: Containerized Applications Go Mainstream

Just the other week at AzureCon, the Azure team announced the next phase of their support for containerized applications on Azure. The Azure Container Service builds on work already done with Docker and Mesosphere to create and manage scalable clusters of host machines onto which contai...

Read more
  • Azure
  • Containers
  • Docker
Alex Casalboni
— October 8, 2015

AWS re:Invent 2015: Designing for SaaS

Next-Generation Software Delivery Models on AWS Software delivery has been evolving. Not too many years ago most software lived on-premise. Then came the web-hosted app, and then robust cloud solutions like those provided by various combinations of AWS services. At this week's re:In...

Read more
  • AWS
  • Containers
  • Events
David Clinton
— January 26, 2015

Cloud Technology and Security Alert News Digest – Issue #10

Update 2019: We've been busy working on some great training content around security, check out the Cloud Academy library to prepare on all-things cloud security. Welcome to the Cloud Technology and Security Alert News Digest. This week we've got word of some big platform changes ...

Read more
  • Ansible
  • Azure
  • Chef
  • Containers
  • Security
Andrea Colangelo
— August 21, 2014

The 4 Best Docker Hosting Services

(Update) We've released new training material on Docker, including the Cloud Academy's Docker in Depth Learning Path. This learning path is designed to teach you all about Docker starting from the individual container and progressing to the continuous deployment of an application in AWS...

Read more
  • AWS
  • Containers
  • Docker