OS-level virtualization

OS-level virtualization is an operating system (OS) virtualization paradigm in which

the kernel allows the existence of multiple isolated user space instances,
including containers (LXC, Solaris Containers, AIX WPARs, HP-UX SRP
Containers, Docker, Podman), zones (Solaris Containers), virtual private
servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels (DragonFly
BSD), and jails (FreeBSD jail and chroot).[1] Such instances may look like real computers
from the point of view of programs running in them. A computer program running on an
ordinary operating system can see all resources (connected devices, files and
folders, network shares, CPU power, quantifiable hardware capabilities) of that computer.
Programs running inside a container can only see the container's contents and devices
assigned to the container.
On Unix-like operating systems, this feature can be seen as an advanced implementation
of the standard chroot mechanism, which changes the apparent root folder for the current
running process and its children. In addition to isolation mechanisms, the kernel often
provides resource-management features to limit the impact of one container's activities on
other containers. Linux containers are all based on the virtualization, isolation, and
resource management mechanisms provided by the Linux kernel, notably Linux
namespaces and cgroups.[
Although the word container most commonly refers to OS-level virtualization, it is
sometimes used to refer to fuller virtual machines operating in varying degrees of concert
with the host OS,[citation needed] such as Microsoft's Hyper-V containers.[citation needed] For an
overview of virtualization since 1960, see Timeline of virtualization technologies.
Operations
On ordinary operating systems for personal computers, a computer program can see
(even though it might not be able to access) all the system's resources. They include:
Hardware capabilities that can be employed, such as the CPU and the network
connection
Data that can be read or written, such as files, folders and network shares
Connected peripherals it can interact with, such as webcam, printer, scanner, or fax
The operating system may be able to allow or deny access to such resources based on
which program requests them and the user account in the context in which it runs. The
operating system may also hide those resources, so that when the computer program
enumerates them, they do not appear in the enumeration results. Nevertheless, from a
programming point of view, the computer program has interacted with those resources and
the operating system has managed an act of interaction.
With operating-system-virtualization, or containerization, it is possible to run programs
within containers, to which only parts of these resources are allocated. A program
expecting to see the whole computer, once run inside a container, can only see the
allocated resources and believes them to be all that is available. Several containers can be
created on each operating system, to each of which a subset of the computer's resources
is allocated. Each container may contain any number of computer programs. These
programs may run concurrently or separately, and may even interact with one another.
Containerization has similarities to application virtualization: In the latter, only one
computer program is placed in an isolated container and the isolation applies to file system
only.