← Back to Infrastructure

Docker — Container vs VM

InfrastructureEntrydocker

The Question

What is the difference between a Docker container and a VM?

What a Strong Answer Covers

  • namespaces + cgroups
  • "shared kernel
  • "hypervisor

Senior-Level Answer

Containers and VMs both provide isolated execution environments, but they achieve isolation at different layers of the stack.

A **Virtual Machine** runs a complete guest operating system on top of a hypervisor (Type 1 like VMware ESXi or KVM, or Type 2 like VirtualBox). Each VM includes its own kernel, drivers, and OS userspace. The hypervisor virtualizes hardware — presenting virtual CPUs, memory, and NICs to each VM. This provides strong isolation: a kernel panic in one VM does not affect others. The cost is overhead: each VM consumes gigabytes of disk for the OS image, hundreds of megabytes of RAM for the guest OS, and takes minutes to boot.

A **Docker container** shares the host machine's kernel. Isolation is achieved through Linux kernel primitives: **namespaces** (pid, net, mnt, uts, ipc, user) give each container its own process tree, network stack, and filesystem view; **cgroups** (control groups) limit and account for CPU, memory, and I/O usage. The container image contains only the application and its userspace dependencies — not a kernel. A container starts in milliseconds, images are tens to hundreds of megabytes, and you can run dozens of containers on a machine where you might run only 3-5 VMs.

The trade-off is isolation depth. Because containers share the host kernel, a kernel exploit inside a container can potentially escape to the host. VMs have a harder boundary. For multi-tenant environments with untrusted workloads, VMs (or VM-based container runtimes like Firecracker / gVisor) are preferred. For microservices in a controlled environment, containers provide sufficient isolation with far better density and speed.

In practice, containers and VMs are complementary. Most cloud deployments run containers *inside* VMs: the VM provides the strong isolation boundary at the infrastructure level, and containers provide the packaging and density benefits at the application level.

Docker specifically adds a content-addressable layer filesystem (UnionFS / OverlayFS), a registry protocol for distributing images, and a daemon for managing container lifecycle — these are Docker-specific conveniences on top of the underlying Linux primitives.

Key Differences

AspectDocker ContainerVirtual Machine
OS kernelShared with hostSeparate guest kernel per VM
Startup timeMillisecondsSeconds to minutes
Image sizeMBs (layers, no OS kernel)GBs (full OS image)
Isolation mechanismNamespaces + cgroupsHypervisor hardware virtualization
Isolation strengthProcess-level (kernel shared)Strong (separate kernel)
DensityDozens per hostTypically 3-10 per host
PortabilityImage runs anywhere with container runtimeImage tied to hypervisor type

What Separates a 2/3 from a 3/3

2/3 — Passing but Incomplete

Correctly states that containers share the host kernel while VMs run a full OS, and identifies the startup time and resource overhead differences.

3/3 — Strong Answer

Names namespaces and cgroups as the isolation primitives, explains the security trade-off (shared kernel = weaker isolation), mentions that the two are complementary in production (containers inside VMs), and can name hypervisor types.

Common Mistakes

  • Saying containers are 'more secure' than VMs — the opposite is true for isolation depth.
  • Not knowing the Linux primitives (namespaces, cgroups) that underpin container isolation.
  • Conflating Docker (the tooling) with containers (the runtime concept) — containerd and podman also run containers.
  • Missing the complementary relationship: most production containers run inside VMs.

Follow-Up Questions

  • What are Linux namespaces and which ones does Docker use? — pid, net, mnt, uts, ipc, user — each isolates a different resource dimension. Docker uses all six by default.
  • What is a container escape vulnerability and how do you mitigate it? — A kernel exploit that breaks out of namespace/cgroup isolation. Mitigations: seccomp profiles, AppArmor/SELinux, rootless containers, read-only root filesystem, dropping capabilities.
  • How does Firecracker differ from a standard Docker container runtime? — Firecracker creates micro-VMs with a minimal kernel per workload, providing VM-level isolation at near-container startup speed — used by AWS Lambda.
  • What is the difference between the Docker daemon, containerd, and runc? — Docker daemon is the high-level interface; containerd is the container runtime managing lifecycle; runc is the OCI runtime that actually creates namespaces/cgroups.

Related Questions

  • K8s — Pod vs Deployment
  • K8s — Liveness vs Readiness
  • K8s — ConfigMap vs Secret
  • Helm Chart
  • CI/CD Pipeline

Can You Explain This Cold?

Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.

Get Graded — Free Assessment
GrindQuestionsAITechnical interview assessment
TermsPrivacyAbout