Resources are isolated in several ways:
- chroot environments provide an isolated view of a file system.
- Processes inside a container cannot see applications or processes running in the host environment or in another container. Process IDs are independent of any other process IDs used in the host or other containers.
- Network resources like devices and routing tables are scoped to a container. Typically virtual Ethernet devices are used to communicate between these name spaces.
- User IDs are unique to a container, but are independent of other container’s or the host’s user IDs.
- Mount points have their own container-level scope.
- IPC resources (shared memory, semaphores, message queues) are isolated inside a container.
- Host names and NIS domain names are also limited to a container scope.
So imagine a container is a private system view for an application. It runs in its own chroot environment, and cannot see other processes or users. Containers usually have very low start up times: no OS has to be loaded, just resource scoping has to be established. No full system or para-virtualization is involved to run containers, so they do not add another system virtualization layer (SIE level in mainframe terms). Popular usages of container technology are lxc and Docker.