[dasil003]

Docker didn't cause this problem, the point of the article is that Docker doesn't prevent all such problems. On the other hand it does solve a lot of packaging, dependency and environment parity problems that traditional virtualization is too heavy to accomplish.

I'm old enough to also be frustrated with buzzword driven development, and it's pretty annoying that so many believe Docker invented containerization, but don't throw the baby out with the bathwater. Containerization is an awesome tool and orthogonal to config management.

[eropple]

Traditional virtualization is "too heavy", now, for solved problems like packaging? How and why?

[omginternets]

For the reasons mentioned in the article:

- slow (re)start times

- greater resource consumption

Granted, "too heavy" is relative, but starting a few hundred VMs on a single host (assuming commodity hardware) is not going to work very well.

[oneplane]

Slow? What is slow. VMs start in 4 seconds. While a container might do it in 1 or less, 4 seconds isn't slow.

Resource consumption might be more, but it's not going to be dramatically more than a container. It's not like a container uses nothing, the management and resource constrainers take up resources too.

Containers simply solve nothing and aren't 'better' in general. Containerizing certain programs might be useful, but other than that they are being hyped by the 'shiny new thing' crowd more than it deserves. On top of that, the amount of people using it vs. the amount of people that actually need it is way more of an issue than a container vs. vm debate.

[nogox]

Did you try runV. It launches a Docker image into a micro VM in 100ms. github.com/hyperhq/runv

[user5994461]

That works just fine. It's typical in a VM farm to have hosts with a hundred VMs.

[omginternets]

>It's typical in a VM farm to have hosts with a hundred VMs.

Several things:

1. We may have a different definition of "commodity hardware", but you're missing the broader point.

2. The broader point is that VMs are significantly less resource-efficient.

3. 1 & 2 notwithstanding, you're conveniently ignoring the issue of (re)start time

4. It's fine to use VMs, but it's frankly bizarre to fight tooth-and-nail over the ridiculous notion that they should always be preferred over containers.

[user5994461]

I am simply addressing the fact that it's perfectly fine and common to have hosts with a hundred VMs and it works flawlessly.

VMs are memory intensive because they duplicate the operating system. The starting point is around 500 MB per VM. That's the only meaningful difference in resources compared to containers.

I am not discussing that they have different starting and stopping time.

[arghnoname]

CPU time is also more complicated to schedule in VMs.

For instance, the guest operations generally assume they're running on physical hardware and use spinlocks for some small critical sections. Under a physical hardware assumption this can be the correct approach, because the contending thread will leave the critical section soon and this overall performs better.

However, if the contending thread's vCPU is scheduled away by the hypervisor, the other thread may spinlock until the other vCPU gets scheduled back in. This wastes cycles.

A single operating system that uses OS-level virtualization (i.e., containers) has a more complete view of the system and can better multiplex the existing resources. That said, OS-level virtualization is generally accepted to have less isolation than VM isolation and solving the VM problems with, for instance, spinlocks might be easier than solving the isolation problems with containers, which is near intractable given the size of the kernel.

Unikernels try to take this approach and have a lot of the benefits of containers. If you squint, what we're really looking at with unikernels is a microkernel that uses virtualization support in hardware for robust process isolation. What's interesting to me is the question that I never see asked, which is whether we should revisit the microkernel architectures instead of laying more crap on top of monolithic kernels. The problems with Mach in terms of IPC time have been largely mitigated/eliminated with the L4 branch of microkernel.

[omginternets]

>I am simply addressing the fact that it's perfectly fine and common to have hosts with a hundred VMs and it works flawlessly.

And that was never the point.

[eikenberry]

+1. Docker is not Docker-Swarm/Kubernetes.

[AlphaSite]

Hey, there are plenty of solutions which combine the best of both worlds; for example https://www.vmware.com/products/vsphere/integrated-container...

[icebraining]

How is that the best? You're still running a full kernel for each container, rather than sharing it.

[gaius]

But, so what? VMWare under the hood is sharing common pages between VMs, and a kernel that isn't doing anything isn't consuming any CPU, so why not?

[icebraining]

Nope, common pages are no longer shared between VMs, because it was demonstrated that was a bad idea, security-wise:

upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default

https://kb.vmware.com/selfservice/microsites/search.do?langu...

[AstralStorm]

Guess what, if it is a bad idea for a VM, it must be exponentially worse for something less isolated.

[icebraining]

Yes. Thankfully, the point is that using the regular container model you don't need memory page sharing, because there's only one kernel anyway, not a copy per each container.

[j_s]

Administrators may revert to the previous behavior if they so wish.

Sounds like a sane change to the defaults, but anyone who isn't securing against 3rd party code can turn it back on (to return to much more Docker-like security/performance).