Wednesday, September 30, 2015

Windows Containers vs. Hyper-V Containers

The differences between Windows Containers and Hyper-V Containers in Windows Server 2016 | Windows Server 2016 content from Windows IT Pro

"Windows containers work the same was as Linux containers. Each containerized application runs in its own user-mode, isolated container on a shared host operating system.
...
There are two challenges with this approach that may cause a problem in certain environments.
  1. Not enough isolation since the isolation is at user-mode meaning a shared kernel. In a single tenant environment where applications can be trusted this is not a problem but in a multi-tenant environment a bad tenant may try to use the shared kernel to attack other containers.
  2. There is a dependency on the host OS version and even patch level which may cause problems if a patch is deployed to the host which then breaks the application.
This is where Hyper-V containers can be used. Hyper-V containers use the base image defined for the application and automatically creates a Hyper-V VM using that base image. Inside that VM are the various binaries, libraries and the application inside a Windows container -- and that is a critical point. Hyper-V containers are still using Windows containers within the VM. The only difference is the Windows container is now running inside a Hyper-V VM which provides kernel isolation and separation of the host patch/version lev
el from that used by the application."

No comments: