A container is a lightweight, isolated environment that packages an application and all its dependencies — libraries, config files, and runtime — into a single portable unit. Containers share the host OS kernel, making them far faster to start and more resource-efficient than virtual machines, which each require a full OS.

What is the difference between a container and a virtual machine?

A virtual machine (VM) runs a full copy of an operating system on top of a hypervisor. A container shares the host OS kernel and only packages the application and its dependencies. Containers start in milliseconds and use far less RAM and disk space. VMs provide stronger isolation because each has its own kernel. The exam often presents a scenario requiring fast, consistent deployment across many servers — the answer is containers.

Docker is the most widely used container platform. It provides the Docker Engine (the runtime that runs containers), the Dockerfile format (instructions for building images), and Docker Hub (the default public registry for sharing images). Docker made containers accessible to everyday developers and is the de facto standard for containerisation.

Kubernetes (K8s) is an open-source container orchestration platform originally developed by Google. It automates deploying, scaling, and managing containerised applications across clusters of machines. Kubernetes handles scheduling containers onto nodes, restarting failed containers, scaling up when traffic spikes, and rolling updates with zero downtime.

Containers & Docker — Images, Registries & Orchestration

⚡ Quick Answer

A container packages an application and all its dependencies into a portable, isolated unit that runs consistently anywhere. Docker is the platform that builds and runs containers. A Docker image is the read-only blueprint; a running instance of that image is a container. Images are stored in and pulled from registries (Docker Hub, AWS ECR, Azure ACR). When you have dozens or hundreds of containers to manage across multiple servers, Kubernetes orchestrates them — handling scheduling, scaling, and self-healing automatically.

What Is a Container?

A container is a lightweight, isolated environment that packages an application together with everything it needs to run: libraries, configuration files, and the runtime environment. The key insight is that a container shares the host operating system's kernel rather than running a full OS of its own. This makes containers dramatically smaller and faster than virtual machines.

The core problem containers solve is the classic "it works on my machine" problem. Before containers, an application that worked perfectly in a developer's local environment might fail in production because of subtle differences in library versions, OS configuration, or installed software. A container bundles the application and its exact dependencies together, so it runs identically regardless of where it's deployed — a developer's laptop, a test server, or a production cloud environment.

Containers are ephemeral by design. When a container stops, any data written inside it is lost unless explicitly saved to external storage. This makes containers ideal for stateless services — web servers, APIs, microservices — where each instance is identical and disposable. For stateful applications like databases, you mount external persistent storage volumes.

Containers vs Virtual Machines

Property	Container	Virtual Machine
OS kernel	Shares host kernel	Full OS per VM (own kernel)
Startup time	Milliseconds	30 seconds to minutes
Size	Megabytes	Gigabytes
Isolation	Process-level isolation	Full hardware-level isolation
Security boundary	Weaker (shared kernel)	Stronger (separate kernel)
Portability	Very high — runs anywhere Docker runs	High — but larger and slower to move
Density	Hundreds per host	Tens per host
Best use case	Microservices, CI/CD, cloud-native apps	Full OS isolation, legacy apps, different OS

Containers and VMs are not mutually exclusive

In practice, containers typically run inside VMs in production environments. You provision VMs from your cloud provider (IaaS), and then run many containers on each VM. This gives you the security boundary of VM isolation at the infrastructure level, combined with the density and speed advantages of containers at the application level.

Docker: Images, Containers, and the Dockerfile

Docker is the platform that standardised containers and made them accessible to developers. The Docker ecosystem has four key components you need to understand:

📄

Dockerfile

A plain-text file containing step-by-step instructions for building a Docker image. It specifies the base image, copies application code, installs dependencies, and sets the startup command. Think of it as a recipe for building the image.

🖼️

Image

A read-only template built from a Dockerfile. Images are layered — each instruction in the Dockerfile adds a new layer on top of the previous one. Layers that don't change are cached and reused, making builds fast. An image is the blueprint; it doesn't run itself.

📦

Container

A running instance of an image. When you start a container from an image, Docker adds a thin writable layer on top of the read-only image layers. You can run many containers from the same image simultaneously — each gets its own writable layer.

🗄️

Registry

A storage and distribution system for Docker images. Docker Hub is the default public registry — millions of pre-built images are hosted there. Private registries (AWS ECR, Azure ACR, Google Artifact Registry) let organisations store proprietary images securely.

The typical Docker workflow is: write a Dockerfile → run docker build to create an image → push the image to a registry → on any server, pull the image and run docker run to start a container.

🎯 Key Distinction to Remember

Image = blueprint (read-only, stored in a registry). Container = running instance of an image (writable, ephemeral).

Many exam questions and interview questions hinge on this distinction. You push/pull images to/from registries. You start/stop/delete containers on hosts.

Container Registries

A container registry is a repository for storing and distributing Docker images. Understanding the major registries is important for cloud certification exams:

Registry	Provider	Notes
Docker Hub	Docker, Inc.	Default public registry. Millions of official and community images. Free for public images; paid for private.
Amazon ECR	AWS	Elastic Container Registry. Integrates with ECS and EKS. Private by default; IAM-controlled access.
Azure Container Registry (ACR)	Microsoft	Integrates with AKS and Azure DevOps. Supports geo-replication for multi-region deployments.
Google Artifact Registry	Google Cloud	Replaced Google Container Registry (GCR). Integrates with GKE. Supports multiple artifact types beyond containers.
GitHub Container Registry	GitHub (Microsoft)	Store images alongside source code in GitHub. Common in CI/CD pipelines that build and test on push.

In a secure enterprise environment, image scanning is performed at the registry level — every pushed image is automatically scanned for known vulnerabilities in its layers before it can be deployed. AWS ECR, ACR, and Google Artifact Registry all provide built-in vulnerability scanning.

Container Orchestration and Kubernetes

Running a single container on a single server is straightforward with Docker. But real production applications might require dozens or hundreds of containers spread across multiple servers, with requirements for automatic scaling, load balancing, rolling updates, and self-healing when a container crashes. This is the problem container orchestration solves.

Kubernetes (abbreviated K8s — K, 8 letters, s) is the dominant container orchestration platform. Originally developed at Google and open-sourced in 2014, it is now maintained by the Cloud Native Computing Foundation (CNCF). Every major cloud provider offers a managed Kubernetes service: AWS EKS (Elastic Kubernetes Service), Azure AKS (Azure Kubernetes Service), and Google GKE (Google Kubernetes Engine).

🏗️

Cluster

The top-level Kubernetes unit. A cluster consists of a control plane (which manages the cluster) and one or more worker nodes (which run the actual containers).

🖥️

Node

A physical or virtual machine that runs containers. A cluster has many nodes. The control plane schedules containers (called Pods) onto nodes based on available resources.

📦

Pod

The smallest deployable unit in Kubernetes. A Pod wraps one or more containers that share storage and a network namespace. Most Pods contain a single container, but related containers that must run together can be co-located in one Pod.

⚖️

Service

A Kubernetes Service provides a stable network endpoint for a set of Pods. Since Pods are ephemeral and their IP addresses change, a Service gives a consistent DNS name and IP address that routes traffic to the correct Pods — enabling load balancing.

Kubernetes key capabilities include automatic scaling (add more Pods when CPU usage spikes), self-healing (automatically restart failed containers or reschedule Pods from failed nodes), rolling updates (update containers to a new version with zero downtime by gradually replacing old Pods), and rollbacks (revert to the previous version if a deployment fails).

Docker Swarm vs Kubernetes

Docker has its own built-in orchestration tool called Docker Swarm, which is simpler to set up than Kubernetes but less powerful and less widely adopted in production. For small deployments and teams new to orchestration, Swarm is easier to learn. For large-scale, production-grade workloads, Kubernetes is the industry standard. Most cloud certification exams focus on Kubernetes.

Container Security

Containers introduce specific security considerations that appear on Security+ and cloud security exams:

Image vulnerabilities — container images are built on top of base OS images (e.g. Ubuntu, Alpine Linux) that may contain known CVEs. Regularly scanning images and rebuilding them against updated base images is essential. Use minimal base images (Alpine Linux is ~5MB vs Ubuntu's ~70MB) to reduce the attack surface.

Container escape — a vulnerability that allows a process inside a container to break out of the container's namespace and access the host OS. This is the most serious container security risk. Running containers as non-root users and using read-only filesystems reduces this risk.

Secrets management — application secrets (database passwords, API keys) should never be baked into Docker images. Use environment variables, Kubernetes Secrets, or dedicated secrets managers (AWS Secrets Manager, HashiCorp Vault) to inject secrets at runtime.

Namespace isolation — Linux namespaces are the underlying technology that isolates containers from each other and from the host. Containers share the kernel but have separate process, network, and filesystem namespaces. This isolation is weaker than VM isolation — a kernel vulnerability can potentially affect all containers on a host simultaneously.

🎯 Security+ Exam — Container Security Points

Container escape is the buzzword for the container-specific attack where a malicious process breaks out of container isolation. Image scanning is the control. Running containers as non-root is the hardening technique. These three points cover the majority of container security questions on Security+ SY0-701 Domain 3.

Exam Scenarios

Scenario: A team needs to deploy the same application across development, staging, and production and ensure it behaves identically in each environment. What technology is best suited? Answer: Containers (Docker) — the image ensures a consistent environment from dev to prod.

Scenario: An organisation runs 500 containers across 20 servers and needs automatic failover, rolling updates, and auto-scaling. What tool manages this? Answer: Kubernetes (or a managed service like EKS/AKS/GKE).

Scenario: A security scan reveals that a container is running as root. Why is this a risk? Answer: If a container escape vulnerability exists, a root container process would have root-level access on the host OS. Containers should run as non-privileged users.

Scenario: A developer hardcoded a database password in a Dockerfile. What is the correct remediation? Answer: Remove the secret from the image and inject it at runtime using environment variables or a secrets manager. Never store secrets in images, as they are visible to anyone with image access.

Scenario: What is the difference between a Docker image and a Docker container? Answer: An image is the read-only blueprint stored in a registry. A container is a running instance of that image — you can run many containers from one image.

Studying for a Cloud or DevOps Certification?

Check out the best study resources for CompTIA, AWS, and Azure exams.

View Resources →

Containers & Docker Explained