"Containers effectively partition the resources managed by a
single operating system into isolated groups to better balance the
conflicting demands on resource usage between the isolated groups.
In contrast to virtualization, neither instruction-level emulation
nor just-in-time compilation is required. Containers can run
instructions native to the core CPU without any special
interpretation mechanisms. None of the complexities of
paravirtualization or system call thunking are required either.
"By providing a way to create and enter containers, an operating
system gives applications the illusion of running on a separate
machine while at the same time sharing many of the underlying
resources. For example, the page cache of common files—glibc
for example—may effectively be shared because all containers
use the same kernel and, depending on the container configuration,
frequent the same libc library. This sharing can often extend to
other files in directories that do not need to be written to.
"The savings realized by sharing these resources, while also
providing isolation, mean that containers have significantly lower
overhead than true virtualization. Container technology has existed
for a long time. Solaris Zones and BSD jails are examples of
containers on non-Linux operating systems. Container technologies
for Linux have a similarly extensive heritage: Linux-Vserver,
OpenVZ, and FreeVPS. While each of these technologies has matured,
these solutions have not made significant strides towards
integrating their container support into the mainstream Linux
kernel. (See Resources for more on these technologies.)"