Exercise: Container vs. VM Network

Comparing Isolation

A hands-on exercise to compare the networking and kernel isolation of a full virtual machine against an application container by inspecting their network interfaces and kernel versions.
Author

Chuck Nelson

Published

November 16, 2025

1 Purpose

This exercise provides a practical demonstration of the fundamental difference between a virtual machine and a container: a VM runs its own, separate kernel, while a container shares the host’s kernel. You will use command-line tools to inspect the network stack and kernel version of a running VM and a running container to see this difference firsthand.

2 What You’ll Accomplish

By the end of this exercise, you will be able to:

  • Use ip a and uname -r inside a VM and a container.
  • Use podman exec to run commands inside a running container.
  • Compare the outputs to explain the difference in kernel isolation.

This exercise maps to the following program and course learning outcomes:

  • Course Learning Outcomes (CLOs):
    • 1. Identify hardware and basic network components: This exercise highlights the key architectural difference between two primary virtualization technologies.

This exercise develops the following skills, which align with the O*NET SOC Code 15-1232.00 for Computer User Support Specialists.

Learning Objective O*NET KSAs Technologies Used
Compare kernel isolation between VMs & containers. Knowledge: Computers & Electronics
Abilities: Category Flexibility, Deductive Reasoning		 uname, ip, podman exec

3 Prerequisites

This exercise requires: - A running Fedora 42 VM (your main exercise environment). - A running traditional VM created in virt-manager (from Exercise 9.1). - A running Podman container (from Exercise 9.2). For this exercise, let’s start a simple one that will stay running.

Open a terminal in your Fedora VM and run the following command to start a container that sleeps indefinitely. We’ll name it my-comparison-container.

podman run -d --rm --name my-comparison-container --network bridge docker.io/library/alpine sleep infinity
Tip

Why use --network bridge?

By default, Podman may use the host network if the bridge network is unavailable or misconfigured, causing the container to share the host’s interfaces and IP. Specifying --network bridge ensures the container gets its own virtual network interface and IP address, demonstrating true container network isolation.

4 Step-by-Step Guide

4.1 Step 1: Inspect the Virtual Machine

  1. Open the console for the VM you created in virt-manager.

  2. Log into the VM.

  3. Once you have a command prompt inside the guest VM, run the following two commands.

    # View network interfaces
ip a

# View the running kernel version
uname -r

  4. Analyze the Output: Note the IP addresses; they are on a separate virtual network. Most importantly, note the kernel version. It is likely different from your main Fedora host’s kernel version.

4.2 Step 2: Inspect the Application Container

TipUsing podman exec -it to get a terminal inside the container

If you don’t already know how to open a shell inside a running container, here’s how:

# Replace 'my-container' with the actual name of your container
podman exec -it my-container /bin/sh

Now, let’s run the same commands inside the Podman container. We will use podman exec to do this from the host’s terminal.

  1. From your main Fedora VM’s terminal, run the ip a command inside the container:

    podman exec my-comparison-container ip a

    Note its IP address. It is also on a separate container network.

  2. Now, run the uname -r command inside the container:

    podman exec my-comparison-container uname -r

4.3 Step 3: Compare the Results

  1. Compare the output of uname -r from your host Fedora VM with the output from the container. They will be identical.
  2. Now, compare the output of uname -r from your host with the output from the traditional VM. They will likely be different.

This proves the core concept: the container is just an isolated process sharing the host’s kernel, while the VM is a fully separate machine running its own, independent kernel.

4.4 Step 4: Clean Up

Stop the container you started for this exercise.

podman stop my-comparison-container

5 Reflect and Review

ImportantReflection: 3-2-1

Now that you have completed this exercise, reflect on your experience in your Microsoft Teams Student Notebook:

  • 3 uname -r outputs you observed (host, VM, container).
  • 2 commands you used to inspect the environments.
  • 1 question you still have about container networking.
TipCheck on Learning

Answer these questions in your notebook to solidify your understanding:

  1. What is the purpose of the podman exec command?
  2. What was the key difference you observed between the VM and the container?
  3. If you updated the kernel on your host Fedora VM, would the kernel inside the container change? What about the kernel inside the traditional VM? Why?
  4. Both the VM and the container had their own IP addresses. How does this provide network isolation?
Back to top