Canonical comparison of Docker, Kubernetes, OpenStack, and OpenNebula across all critical dimensions.
Quick Reference
| Dimension |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Type |
Container Engine |
Container Orchestrator |
Cloud IaaS Platform |
Cloud Management Platform |
| Latest Version |
v29.4.0 (Apr 2026) |
v1.35.3 (v1.36 ETA Apr 22) |
2026.1 "Gazpacho" (Apr 2026) |
v7.2 (Apr 2026) |
| Primary Workload |
Containers |
Containers (Pods) |
VMs + Bare Metal |
VMs + Containers + Edge |
| Architecture |
Client-Daemon |
Desired-state, distributed |
Distributed microservices |
Centralized daemon (oned) |
| Language |
Go |
Go |
Python |
C++, Ruby |
| License |
Apache 2.0 (Engine) |
Apache 2.0 |
Apache 2.0 |
Apache 2.0 |
| Governance |
Docker Inc / Moby |
CNCF |
OpenInfra Foundation |
OpenNebula Systems |
flowchart TB
subgraph Layer["Technology Stack Layers"]
direction TB
APP["Application Layer\n(Microservices, APIs)"]
ORCH["Orchestration Layer\n(Scheduling, Scaling, Self-healing)"]
INFRA["Infrastructure Layer\n(Compute, Network, Storage)"]
HW["Hardware\n(Bare Metal, Data Center)"]
end
Docker["Docker\n(Container Engine)"] -.->|"packages apps"| APP
K8s["Kubernetes\n(Orchestrator)"] -.->|"manages containers"| ORCH
OS["OpenStack\n(IaaS)"] -.->|"manages infrastructure"| INFRA
ON["OpenNebula\n(CMP)"] -.->|"manages infrastructure"| INFRA
style APP fill:#0db7ed,color:#fff
style ORCH fill:#326ce5,color:#fff
style INFRA fill:#ef3e42,color:#fff
Key insight: These platforms are not direct competitors — they operate at different stack layers and are frequently used together (e.g., Kubernetes on OpenStack, Docker images on Kubernetes).
Architecture Comparison
| Aspect |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Architecture style |
Single daemon (dockerd) |
Distributed control plane + workers |
30+ distributed microservices |
Centralized (oned + scheduler) |
| State store |
Local filesystem |
etcd (distributed KV) |
MariaDB/Galera + RabbitMQ |
MySQL / SQLite |
| Scheduling |
N/A (single host) |
kube-scheduler (filter → score → bind) |
nova-scheduler (filter → weigh) |
sched + OneDRS (AI-powered) |
| Networking |
bridge, overlay, macvlan |
CNI plugins (Calico, Cilium) |
Neutron + OVN/OVS |
Linux Bridge, OVS, VXLAN |
| Storage |
volumes, bind mounts |
PV/PVC + CSI drivers |
Cinder + Ceph + Swift |
NFS, Ceph RBD, LVM, iSCSI |
| API |
REST (Docker API) |
REST + gRPC (K8s API) |
REST (per-service APIs) |
XML-RPC + gRPC (v7.2) |
| HA |
N/A (single daemon) |
Multi-master control plane |
Active/passive + Galera |
oned active/standby + RAFT |
Scalability Comparison
| Dimension |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Max nodes |
1 (single host) |
5,000 (cluster) |
10,000+ |
1,000+ |
| Max workloads |
100s containers |
150,000 pods |
100,000+ VMs |
10,000+ VMs |
| Horizontal scaling |
No (needs orchestrator) |
Native (HPA, VPA, CA) |
Add compute nodes |
Add KVM hosts |
| Multi-region |
No |
Federation (experimental) |
Yes (shared Keystone) |
Yes (federated zones) |
| Edge |
Yes (lightweight) |
Yes (K3s, MicroK8s) |
Limited |
Native edge support |
Operational Complexity
| Dimension |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Install time |
Minutes |
Hours (kubeadm) → Minutes (managed) |
Days → Weeks |
Hours |
| Team size needed |
0 (developer self-service) |
2–5 SREs |
5–15+ dedicated team |
1–3 admins |
| Day-2 operations |
Minimal |
Moderate (upgrades, etcd, CNI) |
Heavy (many services) |
Light (single daemon) |
| Upgrade complexity |
apt upgrade |
Rolling node upgrades |
SLURP or sequential releases |
yum update + DB migrate |
| Troubleshooting |
Simple (logs, inspect) |
Moderate (events, describe, logs) |
Complex (30+ log sources) |
Simple (oned.log) |
| Learning curve |
Low |
High |
Very High |
Low–Moderate |
Security Comparison
| Dimension |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Isolation model |
Namespaces + cgroups |
Pod security standards |
VM hypervisor isolation |
VM hypervisor isolation |
| Multi-tenancy |
No (single user) |
Namespaces + RBAC |
Full (projects + domains) |
Full (groups + ACLs + quotas) |
| Network policies |
iptables/nftables |
NetworkPolicy + CNI |
Security Groups + OVN |
Security Groups + iptables |
| Secrets management |
Docker secrets (Swarm) |
K8s Secrets (base64) |
Barbican |
Encrypted VM context |
| Image security |
Docker Scout, Trivy |
AdmissionControllers, OPA |
N/A (VM images) |
N/A (VM images) |
| RBAC |
Limited |
Fine-grained |
Per-service policies |
Groups + ACLs |
| Rootless |
Yes (rootless mode) |
No (kubelet requires root) |
N/A (VMs) |
N/A (VMs) |
Use Case Decision Matrix
| Use Case |
Recommended Platform |
| Local development |
Docker |
| CI/CD image building |
Docker |
| Microservices at scale |
Kubernetes |
| Cloud-native applications |
Kubernetes |
| Large private cloud (1,000+ nodes) |
OpenStack |
| Telecom / NFV |
OpenStack |
| VMware replacement (enterprise) |
OpenStack or OpenNebula |
| VMware replacement (SMB) |
OpenNebula |
| Edge computing |
OpenNebula or K3s |
| AI / GPU factory |
OpenNebula (NVIDIA native) or K8s (DRA) |
| Hybrid cloud (bursting) |
OpenNebula (native) or K8s (multi-cluster) |
| Research / University lab |
OpenNebula |
| Bare metal provisioning |
OpenStack (Ironic) |
| Managed K8s on IaaS |
OpenStack (Magnum) + Kubernetes |
How They Work Together
flowchart TB
subgraph DataCenter["Enterprise Data Center"]
subgraph IaaS["IaaS Layer"]
OS_DC["OpenStack\n(or OpenNebula)"]
end
subgraph K8sLayer["Orchestration Layer"]
K8s_DC["Kubernetes Cluster\n(on OpenStack VMs)"]
end
subgraph AppLayer["Application Layer"]
Docker_DC["Docker Containers\n(OCI images on K8s)"]
end
end
OS_DC -->|"provisions VMs"| K8sLayer
K8sLayer -->|"schedules containers"| AppLayer
style IaaS fill:#ef3e42,color:#fff
style K8sLayer fill:#326ce5,color:#fff
style AppLayer fill:#0db7ed,color:#fff
| Metric |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| GitHub stars |
~70k (Moby) |
~115k |
N/A (OpenDev) |
~1.5k |
| Contributors |
2,000+ |
9,000+ |
10,000+ (all time) |
200+ |
| Release cadence |
Monthly |
~4 months |
~6 months |
~6 months |
| Ecosystem |
Docker Hub, Compose |
CNCF Landscape (1,500+ tools) |
30+ core projects |
Marketplace, OneFlow |
| Commercial support |
Docker Inc |
Red Hat, VMware, SUSE, etc. |
Canonical, Red Hat, SUSE |
OpenNebula Systems |
| Managed offerings |
Docker Hub |
EKS, GKE, AKS |
Rackspace, Vexxhost |
Managed by ON Systems |
Cost Comparison (100 VM / container equivalent)
| Cost Item |
Docker |
Kubernetes (self-hosted) |
OpenStack |
OpenNebula |
| Software license |
Free (Engine) |
Free |
Free |
Free (CE) |
| Infrastructure |
1 server |
3 masters + N workers |
3 controllers + N compute |
1 frontend + N hosts |
| Operational staff |
0 FTE |
1–2 FTE |
3–5 FTE |
0.5–1 FTE |
| Enterprise support |
Desktop: $9–24/user/mo |
OpenShift: $$$+ |
RHEL: $$$+ |
From €6k/yr |
| Total est. (annual) |
< $5k |
$50–200k |
$200–500k+ |
$10–50k |
Migration & Lock-in
| Dimension |
Docker |
Kubernetes |
OpenStack |
OpenNebula |
| Vendor lock-in risk |
Low (OCI standard) |
Low (CNCF standard) |
Low (Apache 2.0) |
Low (Apache 2.0) |
| Image portability |
OCI-standard (universal) |
OCI-standard |
QCOW2, RAW, VMDK |
QCOW2, RAW, VMDK |
| Migration tools |
docker save/load |
Velero, ETCD backup |
N/A |
VMware migration tools |
| Exit cost |
Minimal |
Moderate (K8s-specific YAMLs) |
High (deep integration) |
Low–Moderate |
Sources