Containers Are Processes with Extra Restrictions
A container is not a virtual machine and not a separate operating system. It is a process — or a group of processes — running on the host kernel, wrapped in a set of Linux kernel features that restrict what it can see and what resources it can consume. Docker, Podman, and containerd are tools that automate the configuration of those kernel features. Once you understand which kernel primitives do the actual work, the container abstraction becomes transparent and its limits become obvious.
Build a Minimal Container by Hand
You can create a container without Docker at all using a single command: unshare --pid --mount --uts --ipc --net --fork --mount-proc /bin/bash. This forks a new process inside new PID, mount, UTS, IPC, and network namespaces, mounts a fresh /proc, and dro
The Eight Linux Namespaces
Linux provides eight namespace types, each isolating a different aspect of the system. PID namespaces give a process tree its own numbering starting from 1. Mount namespaces give a process its own view of the filesystem hierarchy. UTS namespaces isolate the hostname and domain name. IPC namespaces isolate System V IPC and POSIX message queues. Network namespaces give a container its own network interfaces, routing table, and firewall rules. User namespaces map container UIDs to host UIDs, allowing a container root to be unprivileged on the host. Cgroup namespaces and time namespaces round out the set.
Understand cgroups v2 Resource Limits
Control groups impose resource limits on processes. The cgroup v2 hierarchy lives at /sys/fs/cgroup/ on modern systems. Each container gets its own subtree. The memory.max file sets the maximum RAM the container may use — write 512M to it and the containe
See the Overlay Filesystem in Action
Container images are stored as stacked layers using the overlay filesystem. Each image layer is a read-only directory. When a container runs, the kernel mounts these lower directories as read-only and adds a writable upperdir that captures any changes the
"A container that looks like a VM is a container that will surprise you when a kernel exploit appears. The isolation is real but it is not hardware-level. A privilege escalation in the kernel breaks out of every container on the host simultaneously, becaus
"KaiRenner24th of March 2026
Go Deeper: Virtual Machines
Containers share the kernel because they are just processes with namespaces — virtual machines take the opposite approach, achieving hardware-level isolation. A hypervisor creates a separate environment where a guest OS runs its own kernel, completely isolated from the host kernel. Understanding how a hypervisor achieves that isolation reveals something important about how CPUs are designed.
