Containers a similar to a lightweight virtual maching (VM), but instead of virtualizing hardware and running a new kernel and userspace on top, it uses a series of OS namespacing constructs to confine processes to a subset of a filesystem and process group. While this incurs significantly less overhead than running a full VM, the isolation is potentially less strict and methods of breaking out of the namespace confinement may be possible. Further, because processes run on “bare metal”, hardware exploits are a larger concern though even these can be mitigated by limiting direct hardware access and virtualizing subsets of device files.
Some notable implementations include, runc, and crun. Containers also form the basis for , a “distributed operating system” and container orchestrator thas has taken over the infrastructure space.