Painless Docker - 2nd Edition

History Is Layered, Not Isolated

Technologies such as jails, zones, virtual machines, and containers all aim to provide isolation and controlled access to system resources, but they operate at different layers of the system and solve different problems.

FreeBSD Jails extend the basic idea of chroot by providing stronger isolation for processes, users, and networking within the FreeBSD operating system. Solaris Zones take a similar approach on Solaris, offering isolated operating system environments that share a single kernel while maintaining strong separation between workloads. Virtual machines, in contrast, emulate an entire hardware system, allowing each guest to run its own kernel and operating system. Containers focus on application-level isolation by packaging application code and its dependencies into isolated units that run on a shared host kernel.

Among these approaches, containers and virtual machines have seen the widest adoption. Virtual machines provide hardware-level virtualization and strong isolation by running a full operating system per instance. Containers trade some of that isolation for efficiency, focusing on isolating applications rather than machines, which results in faster startup times and higher density.

The kernel is the core of an operating system and is responsible for managing CPU, memory, storage, and devices. An operating system consists of the kernel and the user-space programs that run on top of it. Containers share the host kernel, while virtual machines include their own kernel running on virtualized hardware.

The following table summarizes the key differences between these isolation technologies: