I'm always surprised to see a comparison to Virtual Machines. The containers seem more like an enhanced chroot jail than a CPU emulator, and I've always used those for the similar purpose of isolating a tricky build environment.
They even have some of the same restrictions(Docker needs root, as does chroot; they both work by making system calls lie to the process).
Whenever I hear a comparison with VMs, I wonder for a second, "Wait, is there some clever way to invoke the virtualization instructions without evicting references to the OS from the CPU's context to provide isolation without a separate guest OS?"
They even have some of the same restrictions(Docker needs root, as does chroot; they both work by making system calls lie to the process).
Whenever I hear a comparison with VMs, I wonder for a second, "Wait, is there some clever way to invoke the virtualization instructions without evicting references to the OS from the CPU's context to provide isolation without a separate guest OS?"