April 11, 2023



  • Programs executed within the same executable share resources and all separation is at the discretion of the developer
  • A C programmer may allow the same block of memory to be used by different function calls for example


The process is the lowest level of virtualisation.

  • The kernel allocates memory for each process which no other process can interfere with.
    • This allows multiple programs to be run concurrently.
  • Processes can transparently access shared resources such as the filesystem and network sockets
    • Shared resources are required for programs to be useful
  • An example of a virtual resource at this level is heap memory for an executable
    • The true resource is the RAM, which is virtualised into the abstract heap by the kernel
    • The heap of one process cannot by directly altered by another


  • Containers differ from processes in that they cannot transparently access shared kernel resources
  • It has a virtual set of shared resources that the processes within it use
  • An example of a virtual resource at this level is the virtual filesystem
    • The kernel filesystem is virtualised into the container filesystem by the containerisation software
    • The virtual filesystem of one container cannot be altered directly by another
  • Container processes are visible to the kernel and may be accessed or terminated by the kernel
  • One of the main use cases for a container is managing multiple software environments
    • Processes require external state (the filesystem) to be useful
    • Different processes may have conflicting needs such as different versions of the same dependency
    • Docker is not the only containeriser, CLI tools like pyenv and jenv are too

Virtual Machine

  • Virtual Machines differ from containers in that processes on one VM are totally cut off from processes on another - they may as well be on different machines, which is the point
    • They share bare metal only and may only communicate via networking protocols
  • VMs are to be chosen over containers when a totally different kernel is required to run a program or when the program is not trusted
    • This approach is avoided when possible because it is more resource intensive

Leave a Reply

Your email address will not be published. Required fields are marked *