Frequently Asked Question

What exactly is a Linux container?

A container is just a Linux process (or a small group of processes) that the kernel has arranged to think it is alone on the machine. It sees its own filesystem, its own process tree, its own network interfaces, its own hostname, its own users. But it is not a simulated computer, there is no second kernel underneath. Everything the container does is still a system call into the same host kernel that runs the rest of the box. The "container" is really a particular configuration of namespaces, cgroups, and a root filesystem given to an ordinary process.

This is why a container can boot in milliseconds, occupy only the memory its program actually allocates, and pack hundreds-to-a-host where a virtual machine would pack dozens. It is also why container isolation is fundamentally weaker than VM isolation: a kernel bug that lets one process escape its namespaces is a host compromise, whereas a guest in a VM still has the hypervisor's hardware boundary in front of it. For most workloads the trade-off, speed and density for a slightly thinner security boundary; is the right one, which is why containers won.