This article is more than 1 year old
Will containers kill VMs? There are no winners in this debate
Reg readers couldn’t split the argument – perhaps because we kept coming back to containers inside VMs being sensible
Register Debate Reg readers have a reputation as never being short of an opinion. So, it is with more than a little surprise that we must declare our latest debate, on the motion Containers will kill Virtual Machines, was a tie!
1,142 of you voted in the debate, and the vote was split right down the line.
How did we end up here?
The debate opened with Timothy Prickett-Morgan, co-editor of our sister publication The Next Platform, arguing for the motion by asserting that virtual machines took off during the Great Recession when server spend had soared to unreasonable levels and server consolidation had irresistible appeal.
While VMs suppressed server bills, they spawned an age of hard-to-maintain monolithic applications. Tim lamented that we knew better than to do this before the Great Recession, as shown by the early success of techs like Free BSD Jails and Solaris Zones.
Surging enthusiasm for Docker, then Kubernetes, restored the rightful reign of containers, and we will live happily ever after once they vanquish VMs. Tim offered the following observation:
Containers aren't a special application running on VMs. VMs are a special kind of container running atop bare metal.
Next up, arguing against the motion, was Darren Yates, a research scientist who just completed a PhD in machine learning and data science, and is also a veteran technology journalist.
Darren pointed out that containers are frail.
“One compromised container endangers all of the other containers sharing the host kernel, or those built from the same container image,” he wrote.
Darren also extolled the virtues of VMs’ isolation, and each other.
Maturity also weighed on Darren’s mind, because VMs have been through the wringer for nearly 15 years and emerged in fine shape. History, he argued, teaches us never to ignore that tempering process. And in the context of the containers versus VM debate, Darren argued we will do well to use the best of VMs to improve the worst of containers.
After some half-time oranges, the second round of arguments commenced with yours truly resuming hostilities by recalling conversations about the plight of independent software vendors (ISVs) who must package their products to run on more than a dozen combinations of operating systems, hypervisors, clouds, and marketplaces.
ISVs would rather spend less time and resources packaging, and more time making their products better. My sources therefore told me that ISVs will soon ship their products as containers, and those future upgrades will require a re-platforming effort. At that point, even the most container-averse organization will have little choice but to adopt containers, setting an unstoppable snowball rolling.
Chris Mellor, the editor of our enterprise storage sister publication Blocks & Files, brought it home for the No argument.
His piece focused on the fact that virtualization works and is so widely adopted that it just won’t be abandoned. Containers therefore represent a second stack, yet no IT shop enjoys running two or more paradigms in parallel.
One compromised container endangers all others sharing the host kernel
Chris concluded that container management tools are an application like any other and can comfortably be virtualized. He therefore concluded that containers inside VMs are the future. Chris doesn’t see a winner or a loser – he sees both containers and VMs enjoying long and useful lives.
That conclusion was shared by yours truly and Darren, so perhaps our fence-sitting led to the tied vote.
Readers weigh in
In response to our writers’ rants, readers weighed in with thoughtful contributions of their own.
“The problem that Docker solves is that people have largely forgotten to teach proper package management. Coming from a Unixy background, it seems scarcely credible,” commented a reader named Sed Gawk.
Sed was just getting started, offering this observation about the youth of today:
There is an increasing cohort who cannot package into a deb/rpm or make an autotools setup so dependencies can be configured easily on a random system.
“On the other side," he continued, "the container has become a play pit to dump all the problems resulting from lack of packaging into a semi standardised format. It's crap but, allows a decent amount of tooling atop that to support self-service to people, who would never be allowed access in another deployment paradigm.”
Katrinab weighed in with the view that “if the only benefit of containers over VMs is that they use fewer system resources, then I don't think that means containers are the future.
“Hardware gets more powerful every year. Nowadays that generally means more CPU cores rather than actually running faster, but more CPU cores is perfect for a VM deployment. The overhead for FreeBSD or Linux isn't that high anyway. Windows is a bit more … and the benefit of being able to reboot each VM individually I think overcomes that.”
Lorribot suggested the debate may have ignored the real world, as the IT he tends comprises “stand alone single instances with no scale up or out requirements.” Containers and DevOps, he wrote may be relevant to “those that live in [the] web serving world.
“But many of the people that live in manufacturing/distribution/engineering/creative environment are not looking for that sort thing.” Stability and low latency matter more to Lorribot, who asked:
Can you run my bespoke automated warehouse system (the other AWS) in a container in AWS (need 3 ms latency or the warehouse dies)?
Reader Spireite offered the pithy observation that any technology is only as good as its implementer: “Quite frankly, they are both only as good as the person who configured the environment/image/whatever.
“I've seen more than my fair share of VMs which have the same volume of security issues as a colander. Same is true for containers.
“At the end of the day someone needs to oversee all this stuff, and periodically run a security scan on them to see what new CVEs have come out.”
We could go on, but you get the idea: there are plenty of good arguments on both sides. So many, perhaps, that this topic could become a hardy perennial. Or as a commenter who uses the handle Ciaran put it: “This sounds like the eternal vi-emacs argument.” ®